

Serious localhost vulnerability found in FreeBSD - tptacek
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+0+current/freebsd-announce

======
tptacek
Here's Kingcope's exploit post:

    
    
      http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071686.html
    

Unix systems give userland processes a lot of control over the what libraries
get loaded dynamically into programs, so that you can (for instance) pick and
choose what versions of third-party libraries you're going to use, or
interpose wrapper functions over standard library functions like malloc().

This is a problem for SUID programs, because they run with higher privileges.
SUID programs are supposed to be hermetically sealed. So you can't LD_PRELOAD
a library into an SUID program; rtld strips the LD_* variables out of the
environment.

Except, oops:

    
    
      http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/getenv.c?rev=1.16;content-type=text%2Fx-cvsweb-markup
    

If you create a malformed environment, the unsetenv() call rtld uses to strip
the environment will fail. rtld didn't notice the failure and accepted the
dangerous variables.

This flaw is a riff on one of the all-time greatest Unix localhost findings.
Back on SunOS 4.1.3, the "loadmodule" program was SUID root and used system()
to execute shell commands to do parts of its work. 8lgm found that if an
attacker set the shell IFS variable, they could trick the Bourne shell into
thinking the path seperator '/' was the token seperator ' ', and thus trick
"loadmodule" into running a program out of their home directory instead of
/sbin.

So Sun patched "loadmodule" to strip IFS out of the environemnt.

So 8lgm wrote a second exploit that set two IFS variables. "loadmodule" only
caught the first.

Thanks for keeping the flame alive, FreeBSD! =)

------
cperciva
A patch is available: [http://lists.freebsd.org/pipermail/freebsd-
security/2009-Dec...](http://lists.freebsd.org/pipermail/freebsd-
security/2009-December/005369.html)

Something I forgot to mention in the above post is that this affects FreeBSD
7.x and 8.x only.

An advisory will be coming soon.

~~~
stingraycharles
So this is not true ?

[http://lists.grok.org.uk/pipermail/full-
disclosure/2009-Nove...](http://lists.grok.org.uk/pipermail/full-
disclosure/2009-November/071694.html)

~~~
cperciva
_So this is not true ?_

If you mean the bit about 7.0 not being vulnerable, yes. The exploit code
posted is slightly buggy, which is probably responsible for the false
positive.

------
thras
"Localhost vulnerability" is a meaningless term. It's called a local root
exploit.

EDIT: Since I got modded down for saying this, try to Google for it. There are
less than 300 hits for "localhost vulnerability," with this article leading
the charge. It's simply a mistake by someone who doesn't know the terminology.

~~~
tptacek
I'm using the OpenBSD term, since it's what I got started with in the early
90's, when I wrote the OpenBSD advisories. It's not strictly a "root"
vulnerability; if you have no SUIDs except for qmail-queue, it's a qmailq
vulnerability.

I'm guessing you got downmodded because nobody cares, although being wrong
couldn't have helped.

~~~
thras
Huh? Sorry, but to quote the advisory:

 _A short time ago a "local root" exploit was posted to the full-disclosure
mailing list;_

You don't know what you're talking about. This exploit appears to give local
users root privileges, making it a local root exploit exactly as the security
advisory states.

The phrase "localhost vulnerability" remains meaningless techno-babble.
Localhost refers to a network address and this exploit appears to have nothing
to do with that.

~~~
davidw
> You don't know what you're talking about.

I would bet pretty good money that he does:-)

~~~
thras
I'm willing to take your bet.

He has claimed that "localhost vulnerability" was the term used on the OpenBSD
list in the 1990s. Why don't you try to find it there:
[http://emailthreads.org/list/openbsd-security-
announce.en.ht...](http://emailthreads.org/list/openbsd-security-
announce.en.html)

~~~
tptacek
Ok. I'll officiate. What's the dollar amount? I recommend $100, and that the
winner donate the proceeds to their preferred charity.

The bet is over when I demonstrate to you that (a) I didn't invent the term
"localhost vulnerability", much as I wish I had, and (b) this vulnerability
isn't strictly a "root" vulnerability. I'll withhold any further description
in the interests of routing money from your bank account to a deserving
charity, and I will match any dollar amount that davidw agrees to.

~~~
thras
You mean "root exploit" not "root vulnerability." The second term is again
mistaken, although it gets used a lot.

Did you even read the exploit code? He's figured out a way to overwrite
LD_PRELOAD environment variable for anything SUID. That means that you get to
tell the binary to load libraries other than what it planned on loading. And
hence run arbitrary code.

This has nothing to do with "localhost." If you'd like to give examples of
people using "localhost vulnerability" in the past, go right ahead and link to
them.

~~~
tptacek
Are you going to accept the bet, like you said you were? If you are, I have no
desire to screw a charity out of your money by helping you with this.

