FreeBSD mmap and ptrace privilege escalation

R

robbtek

I've found this two code for privilege escalation. I've tested on FreeBSD 10 and it works fine! x(

Code: 
[user@freebsd10 ~]$ uname -a
FreeBSD freebsd10 10.0-CURRENT FreeBSD 10.0-CURRENT

Info: http://www.mondounix.com/freebsd-mmap-privilege-escalation/
Advisory: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc

Test:

Code: 
[user@freebsd10 ~]$ ./b
[+] Saved old '/sbin/ping'
[+] Using mmap-ed area at 0x801000000
[+] Attached to 1264
[+] Copied 7435 bytes of payload to '/sbin/ping'
[+] Triggering payload

# id
uid=0(root) gid=0(wheel)
# exit
[+] Restoring '/sbin/ping'
[+] Done

Code: http://www.mondounix.com/freebsd-9-0-9-1-mmap-ptrace-exploit/

Code: 
[user@freebsd10 ~]$ ./c
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul@hunger.hu>
# id
uid=0(root) gid=0(wheel)
 
I don't know for FreeBSD 10, however, this has been addressed in a recent update of FreeBSD 9.1-RELEASE. We are at patch level 4 now. See chapter "VI. Correction details" in the advisory that you gave a link to.
 
I've made a backup of the system (it is a test virtual machine) and try to apply patch and rebuild kernel.
 
According to advisory http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc, I've applied a patch and rebuilt the kernel on my FreeBSD 10.0 CURRENT. It works fine.

http://www.mondounix.com/freebsd-mmap-privilege-escalation/
Code: 
[user@freebsd10 ~]$ ./b
[+] Saved old '/sbin/ping'
[+] Using mmap-ed area at 0x801000000
[+] Attached to 2040
[-] ptrace(PT_WRITE_D) failed: Bad address
http://www.mondounix.com/freebsd-9-0-9-1-mmap-ptrace-exploit/
Code: 
[user@freebsd10 ~]$ ./c
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul@hunger.hu>
c: ptio: Bad address
I've written an article with all commands that I've used (sorry, it is in not in English): http://www.mondounix.com/freebsd-ricompilare-kernel-per-correggere-la-vulnerabilita-di-mmap-ptrace/
 
You must log in or register to reply here.
Back
Top