Exploit BSDI BSD/OS 4.0 /FreeBSD 3.2 /NetBSD 1.4 x86 / OpenBSD 2.5 - UFS Secure Level 1

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19411
Проверка EDB
  1. Пройдено
Автор
STEALTH
Тип уязвимости
LOCAL
Платформа
BSD
CVE
cve-1999-1394
Дата публикации
1999-07-02
BSDI BSD/OS 4.0 /FreeBSD 3.2 /NetBSD 1.4 x86 / OpenBSD 2.5 - UFS Secure Level 1
Код:
source: https://www.securityfocus.com/bid/510/info

In 4.4BSD derivatives there are four secure levels that provide for added filesystem security (among other things) over and above the regular unix permission systems. Part of the secure levels are the system of file flags which include immutable and append-only flags. In secure level 0, these flags are irrelevant. The vulnerability lies in the inherent flaw with security level 1. In security level 1, the file flags are acknowledged; files such as /usr/bin/login can be set immutable and so forth -- however, umounted partitions/devices can be freely written to and modified (by root, of course). Stealth <[email protected]> has written a tool which allows for an intruder who has gained root to bypass security level 1 through writing directly to the device and clearing the file flags. The tool also sets the CLEAN flag in the filesystem which fools the computer into thinking the modified device is clean avoiding detection at bootup. A hypothetical situation for exploit of this vulnerability is as follows,

Hacker compromises root on target host.
Hacker attempts backdoor insertion and realizes suid binaries are immutable.
Hacker verifies secure level is set to 1.
Hacker umounts /usr.
Hacker writes directly to device previously mounted as /usr, clearing file flags.
Hacker mounts modified device as /usr.
Hacker installs backdoored /usr/bin/login. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19411.tgz
 
Источник
www.exploit-db.com

Похожие темы