This page is READ-ONLY. It is generated from the old site.
All timestamps are relative to 2013 (when this page is generated).
If you are looking for TeX support, please go to VietTUG.org

FreeBSD local r00t 0day

gruhhhh
Added by over 3 years ago

FreeBSD again?

http://seclists.org/fulldisclosure/2009/Nov/371

Discovered & Exploited by Nikolaos Rangos also known as Kingcope. Nov 2009 "BiG TiME"

"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions. I audited FreeBSD for local r00t bugs a long time sigh. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld). Normally rtld does not allow dangerous environment variables like LD_PRELOAD to be set when executing setugid binaries like "ping" or "su". With a rather simple technique rtld can be tricked into accepting LD variables even on setugid binaries. See the attached exploit for details.

Systems tested/affected

  1. FreeBSD 8.0-RELEASE - VULNERABLE
  2. FreeBSD 7.1-RELEASE - VULNERABLE
  3. FreeBSD 6.3-RELEASE - NOT VULN
  4. FreeBSD 4.9-RELEASE - NOT VULN

Patch: http://viettug.org/blogs/show/384


Comments