From owner-freebsd-bugs@FreeBSD.ORG Sun Mar 4 06:50:03 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ACF6916A403 for ; Sun, 4 Mar 2007 06:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 8EBE313C47E for ; Sun, 4 Mar 2007 06:50:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l246o3wp018710 for ; Sun, 4 Mar 2007 06:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l246o3eG018709; Sun, 4 Mar 2007 06:50:03 GMT (envelope-from gnats) Resent-Date: Sun, 4 Mar 2007 06:50:03 GMT Resent-Message-Id: <200703040650.l246o3eG018709@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Guasconi Vincent Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BFFFF16A401 for ; Sun, 4 Mar 2007 06:43:44 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id A4F8913C481 for ; Sun, 4 Mar 2007 06:43:44 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l246hiIh016256 for ; Sun, 4 Mar 2007 06:43:44 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id l246hi1V016254; Sun, 4 Mar 2007 06:43:44 GMT (envelope-from nobody) Message-Id: <200703040643.l246hi1V016254@www.freebsd.org> Date: Sun, 4 Mar 2007 06:43:44 GMT From: Guasconi Vincent To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: kern/109836: Security patch for rtld, a lack of environment sanitization X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2007 06:50:03 -0000 >Number: 109836 >Category: kern >Synopsis: Security patch for rtld, a lack of environment sanitization >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Mar 04 06:50:03 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Guasconi Vincent >Release: 7.0 >Organization: Student >Environment: FreeBSD 7.0-CURRENT-200609 (GENERIC) >Description: Hi! I'm french so excuse my english :p. Here's a security problem I solved (I think). <----------> Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders. Impact: Serious. May lead to privilege escalation. A class of security vulnerabilities has resurfaced in the dynamic loaders of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment variables for suid and sgid binaries. [...] Due to either badly implemented sanitization or a lack of it, a setuid binary may execute other processes with a tainted environment. No attempt is made to clear dangerous variables. The FreeBSD dynamic loaders simply do not process the variables when ruid does not equal euid. <----------> complete source : http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050829.html Already fix in NetBSD since 3 months : http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/rtld.c.diff?r1=1.110&r2=1.111&f=h -- Guasconi Vincent French student. http://altmylife.blogspot.com [fr] >How-To-Repeat: vulnerable root-suid program example: main() { setuid(0); execl("/usr/bin/id","id",0); } evil shared library: __attribute__ ((constructor)) main() { printf("[+] Hello from shared library land\n"); execle("/bin/sh","sh",0,0); } >Fix: So here's the patch for libexec/rtld-elf/rtld.c 1.120 (my first so be cool ^-^). I've test it on my FreeBSD 7.0-CURRENT-200609 (GENERIC), it works perfectly. I don't know if you need I reproduce it for 6.2? I'm not really aware of the procedure. 26c26 < * $FreeBSD: src/libexec/rtld-elf/rtld.c,v 1.120 2007/01/09 17:50:05 jhb Exp $ --- > * $FreeBSD: src/libexec/rtld-elf/rtld.c,v 1.120 2007/03/04 04:42:00 jhb Exp $ 140a141,142 > static void rtld_env_destroyer(char **); > static void rtld_unsetenv(const char *, char **); 360,361c362,366 < } else < dangerous_ld_env = 0; --- > } else { > /* issetugid isn't able to catch a setuid() so... */ > rtld_env_destroyer(env); > dangerous_ld_env = 0; > } 3325a3331,3374 > } > > /* ... Let's start the war. */ > /* env destructor in case of issetugid, security fix. */ > static void > rtld_env_destroyer(char **env) > { > ld_debug = NULL; > ld_library_path = NULL; > libmap_disable = 0; > libmap_override = NULL; > ld_preload = NULL; > rtld_unsetenv(LD_ "DEBUG", env); > rtld_unsetenv(LD_ "LIBRARY_PATH", env); > rtld_unsetenv(LD_ "LIBMAP_DISABLE", env); > rtld_unsetenv(LD_ "LIBMAP", env); > rtld_unsetenv(LD_ "PRELOAD", env); > return ; > } > > /* Thanks to OpenBSD */ > /* unset all var occurences from env */ > static void > rtld_unsetenv(const char *var, char **env) > { > char *ep; > > while ((ep = *env)) { > const char *vp = var; > > while (*vp && *vp == *ep) { > vp++; > ep++; > } > if (*vp == '\0' && *ep++ == '=') { > char **P; > > for (P = env;; ++P) > if (!(*P = *(P + 1))) > break; > } else > env++; > } > return ; Hope it helps. Thx in advance. >Release-Note: >Audit-Trail: >Unformatted: