From owner-freebsd-security Sun Feb 2 22:26:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA11149 for security-outgoing; Sun, 2 Feb 1997 22:26:23 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA11142 for ; Sun, 2 Feb 1997 22:26:18 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id RAA27732; Mon, 3 Feb 1997 17:29:45 +1100 (EST) Date: Mon, 3 Feb 1997 17:29:43 +1100 (EST) From: "Daniel O'Callaghan" To: freebsd-security@freebsd.org Subject: Critical Security Problem in 4.4BSD crt0 (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ---------- Forwarded message ---------- Date: Sun, 2 Feb 1997 23:54:54 -0600 (CST) From: Thomas H. Ptacek To: bugtraq@netspace.org Cc: freebsd-security@freebsd.org Subject: Critical Security Problem in 4.4BSD crt0 There is a critically important security problem in FreeBSD 2.1.5's C runtime support library that will enable anyone with control of the environment of a process to cause it to execute arbitrary code. All executable SUID programs on the system are vulnerable to this problem. The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the "main()" entry point function in the program that is starting, will under some circumstances call routines that set the "locale" of the program. The routines that do this are heavily dependant on environment variables, which are in some circumstances copied directly into local character buffers on the stack of the locale routines. An immediately exploitable problem is evident in "startup_setrunelocale()", which, if certain environment variables are set, will copy the value of "PATH_LOCALE" directly into a 1024 byte buffer on the routine's stack. An attacker simply needs to insert machine code and virtual memory addresses into the "PATH_LOCALE" variable, enable startup locale processing, and run an SUID program. On FreeBSD 2.1.5, startup locale processing is enabled by setting the environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is called if the environment variable "LC_CTYPE" is set as well. An exploit to this problem was written in less than 5 minutes. It's a completely typical stack overrun. There is at least one report of individuals activing exploiting this problem on the net. FreeBSD 2.2-BETA, as well as OpenBSD, seem to have this problem resolved. FreeBSD's crt0 start() function does not process locales and is thus not vulnerable to this problem. I have seen no announcements from the FreeBSD team about 2.2's resolution to the problem, or 2.1.5's vulnerability, and can only assume that they are unaware of it. Thanks to Michael Scher at U.S. Host for information about this problem. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."