ccdconfig sgid kmem BSD exploit
| Description: | ccdconfig is sgid kmem and can be exploited to read /dev/mem . It shouldn't be too tough to leverage this into root access. |
| Author: | Niall Smart <rotel@INDIGO.IE> |
| Compromise: | root (local) |
| Vulnerable Systems: | NetBSD, FreeBSD, older version of OpenBSD |
| Date: | 31 December 1997 |
Date: Wed, 31 Dec 1997 02:02:31 +0000
From: Niall Smart <rotel@INDIGO.IE>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in ccdconfig
Hi,
FreeBSD and NetBSD's ccdconfig doesn't do proper checking of the
argument to -f:
[nsmart@ginseng ~]$ ccdconfig -U -f /dev/mem 2>&1 | strings | grep Charlie
root:iDeLeTeDiT:0:0::0:0:Charlie: No such file or directory
^C
I had to cat /etc/master.passwd in another window to get this to
work though :) So perhaps its not very easily exploitable, but
is worth fixing nonetheless.
This bug was also spotted by olivier@secnet.com and fixed in OpenBSD
some time ago.
Fixes:
* FreeBSD and NetBSD have been notified of the problem and have fixed
it in their source tree's as of yesterday (FreeBSD-current,
FreeBSD-stable, NetBSD-current) Retrieve the patched ccdconfig.c
and compile yourself a new ccdconfig.
* "chmod g-s /sbin/ccdconfig". I can't think of any reason for it to be
sgid kmem.
Regards,
Niall
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
