From owner-freebsd-security  Sat Apr 26 11:18:20 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA01607
          for security-outgoing; Sat, 26 Apr 1997 11:18:20 -0700 (PDT)
Received: from thought.calbbs.com (thought.calbbs.com [207.71.213.16])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA01599
          for <security@freebsd.org>; Sat, 26 Apr 1997 11:18:16 -0700 (PDT)
Received: from localhost (localhost.calbbs.com [127.0.0.1]) by thought.calbbs.com (8.8.5/8.6.12) with SMTP id LAA00291 for <security@freebsd.org>; Sat, 26 Apr 1997 11:17:51 -0700 (PDT)
Date: Sat, 26 Apr 1997 11:17:51 -0700 (PDT)
From: Brian Buchanan <brian@wasteland.calbbs.com>
X-Sender: brian@thought.calbbs.com
Reply-To: Brian Buchanan <brian@wasteland.calbbs.com>
To: security@freebsd.org
Subject: Lowering securelevel from userland
Message-ID: <Pine.BSF.3.96.970426103543.163A-100000@thought.calbbs.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Description:

On my 2.2.1 system, I was able to lower the securelevel by taking over
init with gdb.  I compiled a copy of init with debug symbols by using
-ggdb in the compile flags, then ran gdb using that for the symbol table
and attached to process 1.  I was able to execute setsecuritylevel(0) from
gdb, although this caused the process to hang.  Sending a signal woke it
up long enough to let the securelevel get changed from 2 to 0 before init
died with a segmentation fault.  Even though the system was in an unstable
state, I was able to remove the schg flags from /kernel and /sbin/init
before rebooting the machine from the command line.

Impact:

An attacker who has gained superuser privilages can replace the kernel,
delete append-only logs, or thrash the disks, even on a system that
normally runs in highly secure mode.

Exploit:

One can do the following as the superuser to gain total control of a
machine running at securelevel 1 or 2.

gdb /usr/src/sbin/init/init.debug 1  (Attach to process 1, loading
                                      symbols from init compiled w/ -ggdb)
signal SIGHUP                   (Process will get SIGHUP when it resumes)
call setsecuritylevel(0)        (Make init lower the security level)
<security level will change to 0, init will segfault>
<suspend gdb or switch to another root shell, remove schg/sappnd
 flags from files, reboot the machine>

--
Brian Buchanan                  Mail:   brian@calbbs.com
UNIX sysadmin, webmaster                webmaster@calbbs.com