Results 1 to 18 of 18
  1. #1
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072

    Exclamation [URGENT] FreeBSD Zero Day Exploit + Temporary Patch

    Hey,

    For those of you who do not subscribe to the FreeBSD security mailing list, there is a public zero day exploit going around. I've been able to test it out on a few servers using different versions from FreeBSD 6.2 to FreeBSD 8.0 with mixed results. The exploit is local and requires access to the compilers along with a setugid binary. Disabling the compilers is not a valid work around and you are all strongly urged to use the following patch:

    cd /usr/src/libexec/rtld-elf
    fetch http://people.freebsd.org/~cperciva/rtld.patch
    patch < rtld.patch
    make & make install


    The patch has been put out by Colin Percival, the Security Officer for the FreeBSD project.

    This is what a valid exploit will look like:

    %uname -a

    FreeBSD domain.tld 7.2-STABLE FreeBSD 7.2-STABLE #5: Thu Nov 26 17:33:47 EST 2009 nop@domain.tld:/usr/obj/usr/src/sys/kernel i386

    %whoami

    nop

    %sh exploit.sh

    exploit.sh: gcc: Permission denied
    exploit.sh: gcc: Permission denied
    exploit.sh: gcc: Permission denied
    /libexec/ld-elf.so.1: environment corrupt; missing value for
    /libexec/ld-elf.so.1: environment corrupt; missing value for
    /libexec/ld-elf.so.1: environment corrupt; missing value for
    /libexec/ld-elf.so.1: environment corrupt; missing value for
    /libexec/ld-elf.so.1: environment corrupt; missing value for
    /libexec/ld-elf.so.1: environment corrupt; missing value for

    # whoami

    root

    References:

    http://lists.freebsd.org/pipermail/f...er/005370.html

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Also, for the sake of the lazy admins out there ... please do not post any links to the exploit code. =)

  3. #3
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    If the patch gives you the following output it has failed and you will need to manually apply the patch:

    Hmm... Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |Index: rtld.c
    |===================================================================
    |--- rtld.c (revision 199977)
    |+++ rtld.c (working copy)
    --------------------------
    Patching file rtld.c using Plan A...
    Hunk #1 failed at 366.
    1 out of 1 hunks failed--saving rejects to rtld.c.rej
    done

    Open the rtld.c file and scroll down to the following section of code:

    /*
    * If the process is tainted, then we un-set the dangerous environment
    * variables. The process will be marked as tainted until setuid(2)
    * is called. If any child process calls setuid(2) we do not want any
    * future processes to honor the potentially un-safe variables.
    */
    if (!trust) {
    unsetenv(LD_ "PRELOAD");
    unsetenv(LD_ "LIBMAP");
    unsetenv(LD_ "LIBRARY_PATH");
    unsetenv(LD_ "LIBMAP_DISABLE");
    unsetenv(LD_ "DEBUG");
    }

    Replace the above code with the following and make sure you do not touch anything else or you could have a very broken system:

    /*
    * If the process is tainted, then we un-set the dangerous environment
    * variables. The process will be marked as tainted until setuid(2)
    * is called. If any child process calls setuid(2) we do not want any
    * future processes to honor the potentially un-safe variables.
    */
    if (!trust) {
    if (unsetenv(LD_ "PRELOAD") || unsetenv(LD_ "LIBMAP") ||
    unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBMAP_DISABLE") ||
    unsetenv(LD_ "DEBUG") || unsetenv(LD_ "ELF_HINTS_PATH")) {
    _rtld_error("environment corrupt; aborting");
    die();
    }
    }

    Save the file and then execute: make && make install

  4. #4
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    I'm not horribly familiar with the FBSD system (or C in general) though it looks like they allowed access to LD_PRELOAD on a SUID app (based off the original FD code).

    I was impressed with the response time of FBSD, they had a patch out about an hour after it was first published to Bugtraq/FD.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  5. #5
    Join Date
    Feb 2002
    Location
    New York, NY
    Posts
    4,618
    I noticed that running a "make && make install" in /usr/src/libexec/rtld-elf only updates /libexec/ld-elf.so.1 on amd64 boxes, and not /libexec/ld-elf32.so.1. To be on the safe side, I then did a "make world" from /usr/src, which does update it.
    Scott Burns, President
    BQ Internet Corporation
    Remote Rsync and FTP backup solutions
    *** http://www.bqbackup.com/ ***

  6. #6
    Quote Originally Posted by CodyRo View Post
    I was impressed with the response time of FBSD, they had a patch out about an hour after it was first published to Bugtraq/FD.
    Not quite that fast. It took me 3 hours and 15 minutes -- approximately 30 minutes before I saw the report, 90 minutes to track down what the problem was, 30 minutes to prepare the patch, 30 minutes to get a couple people to do buildworlds and confirm that it fixed the vulnerability, and 15 minutes to send the "pre-advisory" out.
    Dr. Colin Percival, FreeBSD Security Officer
    Online backups for the truly paranoid: http://www.tarsnap.com/

  7. #7
    Join Date
    Dec 2007
    Posts
    1,278
    I guess this isn't important enough to be on the FreeBSD website. Don't see anything on the advisory list.
    James Paul Woods
    Operations Manager
    HostKitty Internet Services

  8. #8
    We're still working on the advisory. It should be out tomorrow.
    Dr. Colin Percival, FreeBSD Security Officer
    Online backups for the truly paranoid: http://www.tarsnap.com/

  9. #9
    Join Date
    Dec 2007
    Posts
    1,278
    lol, what a joke. Im going to have to reconsider my thoughts on FreeBSD taking security seriously.

    If I was on some mailing list i'd of heard about this but the website can't be updated?

    Glad you posted this here otherwise people wouldn't know about it.
    James Paul Woods
    Operations Manager
    HostKitty Internet Services

  10. #10
    Quote Originally Posted by woods01 View Post
    If I was on some mailing list i'd of heard about this but the website can't be updated?
    Anyone who uses FreeBSD and cares about security should be subscribed to the freebsd-security-notifications mailing list.
    Dr. Colin Percival, FreeBSD Security Officer
    Online backups for the truly paranoid: http://www.tarsnap.com/

  11. #11
    Join Date
    Feb 2002
    Location
    New York, NY
    Posts
    4,618
    Quote Originally Posted by cperciva View Post
    Anyone who uses FreeBSD and cares about security should be subscribed to the freebsd-security-notifications mailing list.
    Indeed. All admins that work with FreeBSD servers should be on the list, and allow the emails to go straight to the inbox so that it's noticed right away. Better yet, have it forward to your cell phone as well.

    To make it easier, subscribe here:
    http://lists.freebsd.org/mailman/lis...-notifications
    Scott Burns, President
    BQ Internet Corporation
    Remote Rsync and FTP backup solutions
    *** http://www.bqbackup.com/ ***

  12. #12
    Join Date
    Dec 2007
    Posts
    1,278
    Or subscribe at www.centos.org.

    I'll stop picking on FBSD now. It was my Unix of choice until this.

    Maybe they just need more logos or money or something. What's an exploit here and there.

    This isn't 1995, we've graduated to something a little more then email lists!
    James Paul Woods
    Operations Manager
    HostKitty Internet Services

  13. #13
    Quote Originally Posted by woods01 View Post
    Maybe they just need more logos or money or something.
    Well, actually, the FreeBSD Foundation could use some more money: http://www.freebsdfoundation.org/ :-)

    However...

    What's an exploit here and there.
    ... the FreeBSD Foundation, or for that matter 95% of FreeBSD developers, have no involvement in how security issues are handled. That's my (unpaid) job, and the job of the (unpaid) FreeBSD security team.

    There will be an advisory for this issue RSN, at which point it will go onto the website.

    This isn't 1995, we've graduated to something a little more then email lists!
    I sent a "pre-advisory" email out to the mailing lists because of the unusual situation here -- we usually get notice of security issues before they become public, but in this case I wanted to get something out (most importantly, a patch) before we could get the advisory ready.

    If you have ideas for how this could have been better handled, please let me know via email at security-officer@freebsd.org.
    Dr. Colin Percival, FreeBSD Security Officer
    Online backups for the truly paranoid: http://www.tarsnap.com/

  14. #14
    Join Date
    Mar 2009
    Location
    /usr/bin/perl
    Posts
    971
    Quote Originally Posted by woods01 View Post
    Or subscribe at www.centos.org.

    I'll stop picking on FBSD now. It was my Unix of choice until this.

    Maybe they just need more logos or money or something. What's an exploit here and there.

    This isn't 1995, we've graduated to something a little more then email lists!
    FreeBSD is and always will be fundamentally more secure and stable than linux because of its conservative development cycle. Linux is basically a cumulative hack, and is constantly blessed and cursed with sweeping updates and bleeding edge features.

    And I like how you bring CentOS up as a shining example of how an open source project should be run. I suggest you read this article and reconsider your conclusion http://www.centos.org/modules/news/a...hp?storyid=381

    Considering the circumstances I think the issue was handled quickly and professionally.
    Ask me about CloudCentrum (coming soon) -- The complete, turn-key cloud software solution

  15. #15
    Join Date
    Oct 2003
    Posts
    9,264
    Would actually like to mention I thought this was handled well -- I saw it days ago -- and I don't even have any freebsd boxes. I'm surprised you hadn't known about it.

    With that said, wouldn't hurt to have twitter announcements as well: Instant, can be subscribed to via RSS and are an extremely quick way to disseminate information.

  16. #16
    Join Date
    Jun 2001
    Location
    Chicago, IL
    Posts
    1,953
    I still like freebsd(although i hardly use my personal computer with it that much, or anything else in general) but it was always good when I ran servers with it out of the box(except for that telnet exploit). And this was at a time where if you put a RH box with out of the box install it would get rooted in 24 hours

    Go BEASTIE!(this was the best I could do instead of showing a link to him showing the penguin whos boss)
    Chicago Electronic Cigarettes: Tobacco Free, Smoke Free. 3 E-Cig Models, 11 flavors, and accessories.
    http://www.chicago-ecigs.com

  17. #17
    Join Date
    Oct 2006
    Location
    /usr/src/linux/
    Posts
    700
    Quite trivial bug, it's amazing it wasn't discovered years ago, maybe it was just it wasn't made public until recently.
    For reference it was made public on 30 Nov 2009 23:12:20
    If you run a multi-user server where some people shouldn't have root, I'd backup all important data and reinstall, the kernel and userland cannot be trusted.
    VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
    99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
    Follow us: twitter.com/VPSnoc

  18. #18
    Join Date
    Mar 2008
    Posts
    1,717
    Just because Colin didn't post it, the update went live on freebsd-update about 3 hours ago.

    ... and there's also @freebsdsecurity, though I'm not sure as to the regularity with which it's updated, or if it's official or not.
    I used to run the oldest commercial Mumble host.

Similar Threads

  1. HyperVM patch for milw0rm 9520 exploit
    By Jacob Wall in forum VPS Hosting
    Replies: 10
    Last Post: 08-27-2009, 03:58 PM
  2. FreeBSD-SA-05:09.htt patch on FreeBSD_4.11
    By dubbah in forum Hosting Security and Technology Tutorials
    Replies: 0
    Last Post: 06-29-2006, 06:16 AM
  3. URGENT Modern Bill Patch
    By gold777 in forum Hosting Software and Control Panels
    Replies: 1
    Last Post: 08-10-2005, 07:50 PM
  4. 0-day Exploit for FreeBSD "Abuse" Game (?)
    By Perlboy in forum Hosting Security and Technology
    Replies: 8
    Last Post: 06-19-2003, 06:06 PM
  5. FreeBSD Admins: serious telnetd exploit
    By allera in forum Hosting Security and Technology
    Replies: 2
    Last Post: 07-25-2001, 11:24 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •