Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BSDI BSD/OS 4.0,FreeBSD 3.2,NetBSD 1.4 x86,OpenBSD 2.5 UFS Secure Level 1 Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 17 Views

BSDI BSD/OS 4.0,FreeBSD 3.2,NetBSD 1.4 x86,OpenBSD 2.5 UFS Secure Level 1 Vulnerability. Flaw in secure level 1 enables unauthorized modification by bypassing file flags and stealthy installation of backdoors

Code

                                                source: http://www.securityfocus.com/bid/510/info

In 4.4BSD derivatives there are four secure levels that provide for added filesystem security (among other things) over and above the regular unix permission systems. Part of the secure levels are the system of file flags which include immutable and append-only flags. In secure level 0, these flags are irrelevant. The vulnerability lies in the inherent flaw with security level 1. In security level 1, the file flags are acknowledged; files such as /usr/bin/login can be set immutable and so forth -- however, umounted partitions/devices can be freely written to and modified (by root, of course). Stealth <[email protected]> has written a tool which allows for an intruder who has gained root to bypass security level 1 through writing directly to the device and clearing the file flags. The tool also sets the CLEAN flag in the filesystem which fools the computer into thinking the modified device is clean avoiding detection at bootup. A hypothetical situation for exploit of this vulnerability is as follows,

Hacker compromises root on target host.
Hacker attempts backdoor insertion and realizes suid binaries are immutable.
Hacker verifies secure level is set to 1.
Hacker umounts /usr.
Hacker writes directly to device previously mounted as /usr, clearing file flags.
Hacker mounts modified device as /usr.
Hacker installs backdoored /usr/bin/login. 

http://www.exploit-db.com/sploits/19411.tgz

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
bsd derivativesfilesystem securityfile flagssecurity level 1umounted partitionsroot compromisebackdoor insertionsuid binariesbackdoored login
17