From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 20:28:31 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5340C1065672 for ; Thu, 3 Dec 2009 20:28:31 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18]) by mx1.freebsd.org (Postfix) with ESMTP id CED108FC0A for ; Thu, 3 Dec 2009 20:28:30 +0000 (UTC) Received: from lara.cc.fer.hr (lara.cc.fer.hr [161.53.72.113]) by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id nB3BXgRZ003685; Thu, 3 Dec 2009 12:33:42 +0100 (MET) Message-ID: <4B17A0BE.9090502@fer.hr> Date: Thu, 03 Dec 2009 12:27:58 +0100 From: Ivan Voras User-Agent: Thunderbird 2.0.0.23 (X11/20090928) MIME-Version: 1.0 To: Borja Marcos References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> In-Reply-To: Content-Type: multipart/mixed; boundary="------------030205080901070601010101" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 20:28:31 -0000 This is a multi-part message in MIME format. --------------030205080901070601010101 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Borja Marcos wrote: > On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: > >> A short time ago a "local root" exploit was posted to the full-disclosure >> mailing list; as the name suggests, this allows a local user to execute >> arbitrary code as root. > > Dr. Strangelove, or How I learned to love the MAC subsystem. Hi, Could you point to, or write, some tutorial-like documentation on how you use the MAC for this particular purpose? I tried reading the mac* man pages in several instances before but can't seem to connect the theory described in there with how to apply it in a practical way. > # uname -a > FreeBSD test 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri Nov 20 13:20:06 CET 2009 > root@test:/usr/obj/usr/src/sys/TEST amd64 > > > $ gcc -o program.o -c program.c -fPIC > $ gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles > $ ./env > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > ALEX-ALEX > # id > uid=1001(user) gid=1001(user) euid=0(root) groups=1001(portero),0(wheel) > # /usr/sbin/getpmac > biba/high(low-high) > > And of course it's root. > > Now, > > $ setpmac biba/low\(low-low\) csh > %pwd > /tmp > %./env > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > ALEX-ALEX > # > ** OMG!! IT WORKED!!. > > BUT > > # touch /etc/testing_the_exploit > touch: /etc/testing_the_exploit: Permission denied > # ls -l /usr/sbin/getpmac > -r-xr-xr-x 1 root wheel 7144 May 1 2009 /usr/sbin/getpmac > # /usr/sbin/getpmac > biba/low(low-low) > > OOHHHHH, we have a toothless root. Maybe a "riit"? > > > Pity these serious security mechanisms don't get a widespread usage. > > > > > > > Borja. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > --------------030205080901070601010101--