The FreeBSD Project's FreeBSD Ports and Packages Collection offers a simple way for users and administrators to install applications. More information about it is available at http://www.freebsd.org/ports/.
The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2 can be locally manipulated to take advantage of open file descriptors /dev/mem and /dev/kmem to gain root privileges on a target host. These five programs are installed setgid kmem by default. They will drop kmem privileges before executing user specified commands but file descriptors to /dev/mem and /dev/kmem will remain open. This can lead to a local root compromise in various ways (e.g. if an attacker chooses to scan for the master password file in the Linux kernel memory).
The following examples illustrate the vulnerabilities:
bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep
dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem
bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep
dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem
dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem
bash-2.05a$ cat .wmmonrc
bash-2.05a$ wmmon &
bash-2.05a$ Monitoring 5 devices for activity.
current stat is :1
bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem
dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem
bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep
wmnet: using kmem driver to monitor ec0
dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem
dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem
One possible exploit for these vulnerabilities is to replace getch() in strings(1) with:
or a similar, less CPU-expensive function that reads a character from the /dev/mem file descriptor and execute the following:
wmnet2 -e exploit|grep root|grep Charlie
The latest copies of asmon, ascpu, bubblemon, wmmon, and wmnet2 from the FreeBSD ports collection are vulnerable and were tested on 4.6-RELEASE of FreeBSD. According to FreeBSD, all FreeBSD ports that use libkvm before and including 4.6.2-RELEASE may be vulnerable.
Remove the setgid bit on the affected applications via the command chmod g-s /path.to/wmnet2.
FreeBSD advisory FreeBSD-SA-02:39.libkvm, which is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-
02:39.libkvm.asc, provides the following patch details:
"Upgrade your vulnerable system to 4.6-STABLE; or to the
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch
dated after the correction date (4.6.2-RELEASE-p2, 4.5-
RELEASE-p20, or 4.4-RELEASE-p27)."
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1125 for these issues.
08/12/2002 Issue disclosed to iDEFENSE
09/06/2002 FreeBSD Security notified
09/06/2002 iDEFENSE clients notified
09/16/2002 Coordinated public disclosure by FreeBSD and iDEFENSE
badc0ded (email@example.com) is credited with discovering these vulnerabilities.