FreeBSD 8.0 local root exploit
Page 1 of 1
FreeBSD 8.0 local root exploit
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session: http://seclists.org/fulldisclosure/2009/Nov/371
Systems tested/affected
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
see also: FreeBSD LD_PRELOAD Security Bypass
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session: http://seclists.org/fulldisclosure/2009/Nov/371
Systems tested/affected
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
see also: FreeBSD LD_PRELOAD Security Bypass
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» FreeBSD <= 6.1 Local Root Vulnerability
» FreeBSD 7.2 local root vulnerability (0day) demo
» Linux 2.6.x fs/pipe.c local root exploit
» FreeBSD kernel level vulnerabilities
» Recovering the MySQL root password
» FreeBSD 7.2 local root vulnerability (0day) demo
» Linux 2.6.x fs/pipe.c local root exploit
» FreeBSD kernel level vulnerabilities
» Recovering the MySQL root password
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|