Results 1 to 18 of 18
-
12-01-2009, 02:48 AM #1Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
[URGENT] FreeBSD Zero Day Exploit + Temporary Patch
Hey,
For those of you who do not subscribe to the FreeBSD security mailing list, there is a public zero day exploit going around. I've been able to test it out on a few servers using different versions from FreeBSD 6.2 to FreeBSD 8.0 with mixed results. The exploit is local and requires access to the compilers along with a setugid binary. Disabling the compilers is not a valid work around and you are all strongly urged to use the following patch:
cd /usr/src/libexec/rtld-elf
fetch http://people.freebsd.org/~cperciva/rtld.patch
patch < rtld.patch
make & make install
The patch has been put out by Colin Percival, the Security Officer for the FreeBSD project.
This is what a valid exploit will look like:
%uname -a
FreeBSD domain.tld 7.2-STABLE FreeBSD 7.2-STABLE #5: Thu Nov 26 17:33:47 EST 2009 nop@domain.tld:/usr/obj/usr/src/sys/kernel i386
%whoami
nop
%sh exploit.sh
exploit.sh: gcc: Permission denied
exploit.sh: gcc: Permission denied
exploit.sh: gcc: Permission denied
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
# whoami
root
References:
http://lists.freebsd.org/pipermail/f...er/005370.html
-
12-01-2009, 02:51 AM #2Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Also, for the sake of the lazy admins out there ... please do not post any links to the exploit code. =)
-
12-01-2009, 03:06 AM #3Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
If the patch gives you the following output it has failed and you will need to manually apply the patch:
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: rtld.c
|===================================================================
|--- rtld.c (revision 199977)
|+++ rtld.c (working copy)
--------------------------
Patching file rtld.c using Plan A...
Hunk #1 failed at 366.
1 out of 1 hunks failed--saving rejects to rtld.c.rej
done
Open the rtld.c file and scroll down to the following section of code:
/*
* If the process is tainted, then we un-set the dangerous environment
* variables. The process will be marked as tainted until setuid(2)
* is called. If any child process calls setuid(2) we do not want any
* future processes to honor the potentially un-safe variables.
*/
if (!trust) {
unsetenv(LD_ "PRELOAD");
unsetenv(LD_ "LIBMAP");
unsetenv(LD_ "LIBRARY_PATH");
unsetenv(LD_ "LIBMAP_DISABLE");
unsetenv(LD_ "DEBUG");
}
Replace the above code with the following and make sure you do not touch anything else or you could have a very broken system:
/*
* If the process is tainted, then we un-set the dangerous environment
* variables. The process will be marked as tainted until setuid(2)
* is called. If any child process calls setuid(2) we do not want any
* future processes to honor the potentially un-safe variables.
*/
if (!trust) {
if (unsetenv(LD_ "PRELOAD") || unsetenv(LD_ "LIBMAP") ||
unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBMAP_DISABLE") ||
unsetenv(LD_ "DEBUG") || unsetenv(LD_ "ELF_HINTS_PATH")) {
_rtld_error("environment corrupt; aborting");
die();
}
}
Save the file and then execute: make && make install
-
12-01-2009, 12:13 PM #4Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
I'm not horribly familiar with the FBSD system (or C in general) though it looks like they allowed access to LD_PRELOAD on a SUID app (based off the original FD code).
I was impressed with the response time of FBSD, they had a patch out about an hour after it was first published to Bugtraq/FD.█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor
-
12-01-2009, 08:35 PM #5Backup Guru
- Join Date
- Feb 2002
- Location
- New York, NY
- Posts
- 4,618
I noticed that running a "make && make install" in /usr/src/libexec/rtld-elf only updates /libexec/ld-elf.so.1 on amd64 boxes, and not /libexec/ld-elf32.so.1. To be on the safe side, I then did a "make world" from /usr/src, which does update it.
Scott Burns, President
BQ Internet Corporation
Remote Rsync and FTP backup solutions
*** http://www.bqbackup.com/ ***
-
12-01-2009, 10:54 PM #6Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Not quite that fast. It took me 3 hours and 15 minutes -- approximately 30 minutes before I saw the report, 90 minutes to track down what the problem was, 30 minutes to prepare the patch, 30 minutes to get a couple people to do buildworlds and confirm that it fixed the vulnerability, and 15 minutes to send the "pre-advisory" out.
Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
12-01-2009, 11:20 PM #7relax, im a professional
- Join Date
- Dec 2007
- Posts
- 1,278
I guess this isn't important enough to be on the FreeBSD website. Don't see anything on the advisory list.
James Paul Woods
Operations Manager
HostKitty Internet Services
-
12-01-2009, 11:29 PM #8Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
We're still working on the advisory. It should be out tomorrow.
Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
12-02-2009, 09:23 PM #9relax, im a professional
- Join Date
- Dec 2007
- Posts
- 1,278
lol, what a joke. Im going to have to reconsider my thoughts on FreeBSD taking security seriously.
If I was on some mailing list i'd of heard about this but the website can't be updated?
Glad you posted this here otherwise people wouldn't know about it.James Paul Woods
Operations Manager
HostKitty Internet Services
-
12-02-2009, 09:27 PM #10Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
12-02-2009, 09:41 PM #11Backup Guru
- Join Date
- Feb 2002
- Location
- New York, NY
- Posts
- 4,618
Indeed. All admins that work with FreeBSD servers should be on the list, and allow the emails to go straight to the inbox so that it's noticed right away. Better yet, have it forward to your cell phone as well.
To make it easier, subscribe here:
http://lists.freebsd.org/mailman/lis...-notificationsScott Burns, President
BQ Internet Corporation
Remote Rsync and FTP backup solutions
*** http://www.bqbackup.com/ ***
-
12-02-2009, 10:03 PM #12relax, im a professional
- Join Date
- Dec 2007
- Posts
- 1,278
Or subscribe at www.centos.org.
I'll stop picking on FBSD now. It was my Unix of choice until this.
Maybe they just need more logos or money or something. What's an exploit here and there.
This isn't 1995, we've graduated to something a little more then email lists!James Paul Woods
Operations Manager
HostKitty Internet Services
-
12-02-2009, 10:11 PM #13Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Well, actually, the FreeBSD Foundation could use some more money: http://www.freebsdfoundation.org/ :-)
However...
What's an exploit here and there.
There will be an advisory for this issue RSN, at which point it will go onto the website.
This isn't 1995, we've graduated to something a little more then email lists!
If you have ideas for how this could have been better handled, please let me know via email at security-officer@freebsd.org.Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
12-02-2009, 10:28 PM #14Uptime Aficionado
- Join Date
- Mar 2009
- Location
- /usr/bin/perl
- Posts
- 971
FreeBSD is and always will be fundamentally more secure and stable than linux because of its conservative development cycle. Linux is basically a cumulative hack, and is constantly blessed and cursed with sweeping updates and bleeding edge features.
And I like how you bring CentOS up as a shining example of how an open source project should be run. I suggest you read this article and reconsider your conclusion http://www.centos.org/modules/news/a...hp?storyid=381
Considering the circumstances I think the issue was handled quickly and professionally.Ask me about CloudCentrum (coming soon) -- The complete, turn-key cloud software solution
-
12-02-2009, 10:50 PM #15Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
Would actually like to mention I thought this was handled well -- I saw it days ago -- and I don't even have any freebsd boxes. I'm surprised you hadn't known about it.
With that said, wouldn't hurt to have twitter announcements as well: Instant, can be subscribed to via RSS and are an extremely quick way to disseminate information.
-
12-02-2009, 11:01 PM #16A#* Duke Of New York
- Join Date
- Jun 2001
- Location
- Chicago, IL
- Posts
- 1,953
I still like freebsd(although i hardly use my personal computer with it that much, or anything else in general) but it was always good when I ran servers with it out of the box(except for that telnet exploit). And this was at a time where if you put a RH box with out of the box install it would get rooted in 24 hours
Go BEASTIE!(this was the best I could do instead of showing a link to him showing the penguin whos boss)Chicago Electronic Cigarettes: Tobacco Free, Smoke Free. 3 E-Cig Models, 11 flavors, and accessories.
http://www.chicago-ecigs.com
-
12-03-2009, 12:31 AM #17Web Hosting Master
- Join Date
- Oct 2006
- Location
- /usr/src/linux/
- Posts
- 700
Quite trivial bug, it's amazing it wasn't discovered years ago, maybe it was just it wasn't made public until recently.
For reference it was made public on 30 Nov 2009 23:12:20
If you run a multi-user server where some people shouldn't have root, I'd backup all important data and reinstall, the kernel and userland cannot be trusted.█ VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
█ 99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
█ Follow us: twitter.com/VPSnoc
-
12-03-2009, 09:16 AM #18Web Hosting Master
- Join Date
- Mar 2008
- Posts
- 1,717
Just because Colin didn't post it, the update went live on freebsd-update about 3 hours ago.
... and there's also @freebsdsecurity, though I'm not sure as to the regularity with which it's updated, or if it's official or not.I used to run the oldest commercial Mumble host.
Similar Threads
-
HyperVM patch for milw0rm 9520 exploit
By Jacob Wall in forum VPS HostingReplies: 10Last Post: 08-27-2009, 03:58 PM -
FreeBSD-SA-05:09.htt patch on FreeBSD_4.11
By dubbah in forum Hosting Security and Technology TutorialsReplies: 0Last Post: 06-29-2006, 06:16 AM -
URGENT Modern Bill Patch
By gold777 in forum Hosting Software and Control PanelsReplies: 1Last Post: 08-10-2005, 07:50 PM -
0-day Exploit for FreeBSD "Abuse" Game (?)
By Perlboy in forum Hosting Security and TechnologyReplies: 8Last Post: 06-19-2003, 06:06 PM -
FreeBSD Admins: serious telnetd exploit
By allera in forum Hosting Security and TechnologyReplies: 2Last Post: 07-25-2001, 11:24 AM