Upcoming FreeBSD Security Advisory
Ivan Voras
ivoras at fer.hr
Thu Dec 3 20:28:31 UTC 2009
Borja Marcos wrote:
> On Dec 1, 2009, at 2:20 AM, FreeBSD Security Officer wrote:
>
>> A short time ago a "local root" exploit was posted to the full-disclosure
>> mailing list; as the name suggests, this allows a local user to execute
>> arbitrary code as root.
>
> Dr. Strangelove, or How I learned to love the MAC subsystem.
Hi,
Could you point to, or write, some tutorial-like documentation on how
you use the MAC for this particular purpose?
I tried reading the mac* man pages in several instances before but can't
seem to connect the theory described in there with how to apply it in a
practical way.
> # uname -a
> FreeBSD test 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri Nov 20 13:20:06 CET 2009
> root at test:/usr/obj/usr/src/sys/TEST amd64
>
>
> $ gcc -o program.o -c program.c -fPIC
> $ gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
> $ ./env
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> ALEX-ALEX
> # id
> uid=1001(user) gid=1001(user) euid=0(root) groups=1001(portero),0(wheel)
> # /usr/sbin/getpmac
> biba/high(low-high)
>
> And of course it's root.
>
> Now,
>
> $ setpmac biba/low\(low-low\) csh
> %pwd
> /tmp
> %./env
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> ALEX-ALEX
> #
> ** OMG!! IT WORKED!!.
>
> BUT
>
> # touch /etc/testing_the_exploit
> touch: /etc/testing_the_exploit: Permission denied
> # ls -l /usr/sbin/getpmac
> -r-xr-xr-x 1 root wheel 7144 May 1 2009 /usr/sbin/getpmac
> # /usr/sbin/getpmac
> biba/low(low-low)
>
> OOHHHHH, we have a toothless root. Maybe a "riit"?
>
>
> Pity these serious security mechanisms don't get a widespread usage.
>
>
>
>
>
>
> Borja.
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list