Date: Thu, 03 Dec 2009 12:27:58 +0100 From: Ivan Voras <ivoras@fer.hr> To: Borja Marcos <borjam@sarenet.es> Cc: freebsd-security@freebsd.org Subject: Re: Upcoming FreeBSD Security Advisory Message-ID: <4B17A0BE.9090502@fer.hr> In-Reply-To: <CE6953AE-C4FD-4DD3-831D-ED4215A9AE93@sarenet.es> References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> <CE6953AE-C4FD-4DD3-831D-ED4215A9AE93@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------030205080901070601010101 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Borja Marcos wrote: > On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: > >> A short time ago a "local root" exploit was posted to the full-disclosure >> mailing list; as the name suggests, this allows a local user to execute >> arbitrary code as root. > > Dr. Strangelove, or How I learned to love the MAC subsystem. Hi, Could you point to, or write, some tutorial-like documentation on how you use the MAC for this particular purpose? I tried reading the mac* man pages in several instances before but can't seem to connect the theory described in there with how to apply it in a practical way. > # uname -a > FreeBSD test 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri Nov 20 13:20:06 CET 2009 > root@test:/usr/obj/usr/src/sys/TEST amd64 > > > $ gcc -o program.o -c program.c -fPIC > $ gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles > $ ./env > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > ALEX-ALEX > # id > uid=1001(user) gid=1001(user) euid=0(root) groups=1001(portero),0(wheel) > # /usr/sbin/getpmac > biba/high(low-high) > > And of course it's root. > > Now, > > $ setpmac biba/low\(low-low\) csh > %pwd > /tmp > %./env > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > ALEX-ALEX > # > ** OMG!! IT WORKED!!. > > BUT > > # touch /etc/testing_the_exploit > touch: /etc/testing_the_exploit: Permission denied > # ls -l /usr/sbin/getpmac > -r-xr-xr-x 1 root wheel 7144 May 1 2009 /usr/sbin/getpmac > # /usr/sbin/getpmac > biba/low(low-low) > > OOHHHHH, we have a toothless root. Maybe a "riit"? > > > Pity these serious security mechanisms don't get a widespread usage. > > > > > > > Borja. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > --------------030205080901070601010101--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B17A0BE.9090502>