Tuesday, December 1, 2009

FreeBSD 8.0 local root exploit

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.

Example exploiting session: http://seclists.org/fulldisclosure/2009/Nov/371

Systems tested/affected

FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE


see also: FreeBSD LD_PRELOAD Security Bypass

No comments: