ccdconfig sgid kmem BSD exploit

Description:ccdconfig is sgid kmem and can be exploited to read /dev/mem . It shouldn't be too tough to leverage this into root access.
Author:Niall Smart <rotel@INDIGO.IE>
Compromise: root (local)
Vulnerable Systems:NetBSD, FreeBSD, older version of OpenBSD
Date:31 December 1997

Date: Wed, 31 Dec 1997 02:02:31 +0000
From: Niall Smart <rotel@INDIGO.IE>
Subject: Vulnerability in ccdconfig


FreeBSD and NetBSD's ccdconfig doesn't do proper checking of the
argument to -f:

[nsmart@ginseng ~]$ ccdconfig -U -f /dev/mem 2>&1 | strings | grep Charlie
root:iDeLeTeDiT:0:0::0:0:Charlie: No such file or directory

I had to cat /etc/master.passwd in another window to get this to
work though :) So perhaps its not very easily exploitable, but
is worth fixing nonetheless.

This bug was also spotted by and fixed in OpenBSD
some time ago.


 * FreeBSD and NetBSD have been notified of the problem and have fixed
   it in their source tree's as of yesterday  (FreeBSD-current,
   FreeBSD-stable, NetBSD-current)  Retrieve the patched ccdconfig.c
   and compile yourself a new ccdconfig.

 * "chmod g-s /sbin/ccdconfig". I can't think of any reason for it to be
   sgid kmem.



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: