You need to join this project to post message / question. See Help for details.

FreeBSD local r00t 0day

gruhhhh
Added by z about 2 years ago

FreeBSD again?

http://seclists.org/fulldisclosure/2009/Nov/371

Discovered & Exploited by Nikolaos Rangos also known as Kingcope. Nov 2009 "BiG TiME"

"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions. I audited FreeBSD for local r00t bugs a long time sigh. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld). Normally rtld does not allow dangerous environment variables like LD_PRELOAD to be set when executing setugid binaries like "ping" or "su". With a rather simple technique rtld can be tricked into accepting LD variables even on setugid binaries. See the attached exploit for details.

Systems tested/affected

  1. FreeBSD 8.0-RELEASE - VULNERABLE
  2. FreeBSD 7.1-RELEASE - VULNERABLE
  3. FreeBSD 6.3-RELEASE - NOT VULN
  4. FreeBSD 4.9-RELEASE - NOT VULN

Patch: http://viettug.org/blogs/show/384


Comments