lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Dec 2009 11:12:04 +0100
From: Oliver Pinter <oliver.pinter@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: ** FreeBSD local r00t zeroday

On Tuesday 01 December 2009 06.45.38 bk wrote:
> On Nov 30, 2009, at 9:25 PM, David Berard wrote:
> >> 7.0 not vuln.
> >
> > 7.0 vulnerable here,
> >
> > $ ./env
> > /libexec/ld-elf.so.1: environment corrupt; missing value for
> > /libexec/ld-elf.so.1: environment corrupt; missing value for
> > /libexec/ld-elf.so.1: environment corrupt; missing value for
> > /libexec/ld-elf.so.1: environment corrupt; missing value for
> > /libexec/ld-elf.so.1: environment corrupt; missing value for
> > ALEX-ALEX
> > # uname -r
> > 7.0-RELEASE-p3
>
> Here as well:
>
> bin/Kingcope.sh: new file: 35 lines, 772 characters.
> [chort@...on ~]$ chmod +x bin/Kingcope.sh
> [chort@...on ~]$ Kingcope.sh
> bin ktrace.out scratch vent_stalk FreeBSD local r00t zeroday
> by Kingcope
> November 2009
> env.c: In function 'main':
> env.c:5: warning: incompatible implicit declaration of built-in function
> 'malloc' env.c:9: warning: incompatible implicit declaration of built-in
> function 'strcpy' env.c:11: warning: incompatible implicit declaration of
> built-in function 'execl' /libexec/ld-elf.so.1: environment corrupt;
> missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> /libexec/ld-elf.so.1: environment corrupt; missing value for
> ALEX-ALEX
> # whoami
> root
> # uname -a
> FreeBSD demon.smtps.net 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24
> 19:59:52 UTC 2008    
> root@...an.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>
> It's a VM if that matters.
>
> --
> chort
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

with cpercivals patch:

op@...verp exploit> ./local_root_exploit_env.sh
local_root_exploit_env.sh FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in 
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in 
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in 
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; aborting


-- 
thanks,
Oliver

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists