[URGENT] FreeBSD Zero Day Exploit + Temporary Patch

Portal Home > Knowledgebase > Articles Database > [URGENT] FreeBSD Zero Day Exploit + Temporary Patch

Posted by Patrick, 12-01-2009, 02:48 AM
Hey, For those of you who do not subscribe to the FreeBSD security mailing list, there is a public zero day exploit going around. I've been able to test it out on a few servers using different versions from FreeBSD 6.2 to FreeBSD 8.0 with mixed results. The exploit is local and requires access to the compilers along with a setugid binary. Disabling the compilers is not a valid work around and you are all strongly urged to use the following patch: cd /usr/src/libexec/rtld-elf fetch http://people.freebsd.org/~cperciva/rtld.patch patch < rtld.patch make & make install The patch has been put out by Colin Percival, the Security Officer for the FreeBSD project. This is what a valid exploit will look like: %uname -a FreeBSD domain.tld 7.2-STABLE FreeBSD 7.2-STABLE #5: Thu Nov 26 17:33:47 EST 2009 nop@domain.tld:/usr/obj/usr/src/sys/kernel i386 %whoami nop %sh exploit.sh exploit.sh: gcc: Permission denied exploit.sh: gcc: Permission denied exploit.sh: gcc: Permission denied /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for /libexec/ld-elf.so.1: environment corrupt; missing value for # whoami root References: http://lists.freebsd.org/pipermail/f...er/005370.html
Posted by Patrick, 12-01-2009, 02:51 AM
Also, for the sake of the lazy admins out there ... please do not post any links to the exploit code. =)
Posted by Patrick, 12-01-2009, 03:06 AM
If the patch gives you the following output it has failed and you will need to manually apply the patch: Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: rtld.c |=================================================================== |--- rtld.c (revision 199977) |+++ rtld.c (working copy) -------------------------- Patching file rtld.c using Plan A... Hunk #1 failed at 366. 1 out of 1 hunks failed--saving rejects to rtld.c.rej done Open the rtld.c file and scroll down to the following section of code: /* * If the process is tainted, then we un-set the dangerous environment * variables. The process will be marked as tainted until setuid(2) * is called. If any child process calls setuid(2) we do not want any * future processes to honor the potentially un-safe variables. */ if (!trust) { unsetenv(LD_ "PRELOAD"); unsetenv(LD_ "LIBMAP"); unsetenv(LD_ "LIBRARY_PATH"); unsetenv(LD_ "LIBMAP_DISABLE"); unsetenv(LD_ "DEBUG"); } Replace the above code with the following and make sure you do not touch anything else or you could have a very broken system: /* * If the process is tainted, then we un-set the dangerous environment * variables. The process will be marked as tainted until setuid(2) * is called. If any child process calls setuid(2) we do not want any * future processes to honor the potentially un-safe variables. */ if (!trust) { if (unsetenv(LD_ "PRELOAD") || unsetenv(LD_ "LIBMAP") || unsetenv(LD_ "LIBRARY_PATH") || unsetenv(LD_ "LIBMAP_DISABLE") || unsetenv(LD_ "DEBUG") || unsetenv(LD_ "ELF_HINTS_PATH")) { _rtld_error("environment corrupt; aborting"); die(); } } Save the file and then execute: make && make install
Posted by CodyRo, 12-01-2009, 12:13 PM
I'm not horribly familiar with the FBSD system (or C in general) though it looks like they allowed access to LD_PRELOAD on a SUID app (based off the original FD code). I was impressed with the response time of FBSD, they had a patch out about an hour after it was first published to Bugtraq/FD.
Posted by bqinternet, 12-01-2009, 08:35 PM
I noticed that running a "make && make install" in /usr/src/libexec/rtld-elf only updates /libexec/ld-elf.so.1 on amd64 boxes, and not /libexec/ld-elf32.so.1. To be on the safe side, I then did a "make world" from /usr/src, which does update it.
Posted by cperciva, 12-01-2009, 10:54 PM
Not quite that fast. It took me 3 hours and 15 minutes -- approximately 30 minutes before I saw the report, 90 minutes to track down what the problem was, 30 minutes to prepare the patch, 30 minutes to get a couple people to do buildworlds and confirm that it fixed the vulnerability, and 15 minutes to send the "pre-advisory" out.
Posted by woods01, 12-01-2009, 11:20 PM
I guess this isn't important enough to be on the FreeBSD website. Don't see anything on the advisory list.
Posted by cperciva, 12-01-2009, 11:29 PM
We're still working on the advisory. It should be out tomorrow.
Posted by woods01, 12-02-2009, 09:23 PM
lol, what a joke. Im going to have to reconsider my thoughts on FreeBSD taking security seriously. If I was on some mailing list i'd of heard about this but the website can't be updated? Glad you posted this here otherwise people wouldn't know about it.
Posted by cperciva, 12-02-2009, 09:27 PM
Anyone who uses FreeBSD and cares about security should be subscribed to the freebsd-security-notifications mailing list.
Posted by bqinternet, 12-02-2009, 09:41 PM
Indeed. All admins that work with FreeBSD servers should be on the list, and allow the emails to go straight to the inbox so that it's noticed right away. Better yet, have it forward to your cell phone as well. To make it easier, subscribe here: http://lists.freebsd.org/mailman/lis...-notifications
Posted by woods01, 12-02-2009, 10:03 PM
Or subscribe at www.centos.org. I'll stop picking on FBSD now. It was my Unix of choice until this. Maybe they just need more logos or money or something. What's an exploit here and there. This isn't 1995, we've graduated to something a little more then email lists!
Posted by cperciva, 12-02-2009, 10:11 PM
Well, actually, the FreeBSD Foundation could use some more money: http://www.freebsdfoundation.org/ :-) However... ... the FreeBSD Foundation, or for that matter 95% of FreeBSD developers, have no involvement in how security issues are handled. That's my (unpaid) job, and the job of the (unpaid) FreeBSD security team. There will be an advisory for this issue RSN, at which point it will go onto the website. I sent a "pre-advisory" email out to the mailing lists because of the unusual situation here -- we usually get notice of security issues before they become public, but in this case I wanted to get something out (most importantly, a patch) before we could get the advisory ready. If you have ideas for how this could have been better handled, please let me know via email at security-officer@freebsd.org.
Posted by e-Sensibility, 12-02-2009, 10:28 PM
FreeBSD is and always will be fundamentally more secure and stable than linux because of its conservative development cycle. Linux is basically a cumulative hack, and is constantly blessed and cursed with sweeping updates and bleeding edge features. And I like how you bring CentOS up as a shining example of how an open source project should be run. I suggest you read this article and reconsider your conclusion http://www.centos.org/modules/news/a...hp?storyid=381 Considering the circumstances I think the issue was handled quickly and professionally.
Posted by David, 12-02-2009, 10:50 PM
Would actually like to mention I thought this was handled well -- I saw it days ago -- and I don't even have any freebsd boxes. I'm surprised you hadn't known about it. With that said, wouldn't hurt to have twitter announcements as well: Instant, can be subscribed to via RSS and are an extremely quick way to disseminate information.
Posted by davidb, 12-02-2009, 11:01 PM
I still like freebsd(although i hardly use my personal computer with it that much, or anything else in general) but it was always good when I ran servers with it out of the box(except for that telnet exploit). And this was at a time where if you put a RH box with out of the box install it would get rooted in 24 hours Go BEASTIE!(this was the best I could do instead of showing a link to him showing the penguin whos boss)
Posted by DigitalLinx, 12-03-2009, 12:31 AM
Quite trivial bug, it's amazing it wasn't discovered years ago, maybe it was just it wasn't made public until recently. For reference it was made public on 30 Nov 2009 23:12:20 If you run a multi-user server where some people shouldn't have root, I'd backup all important data and reinstall, the kernel and userland cannot be trusted.
Posted by fwaggle, 12-03-2009, 09:16 AM
Just because Colin didn't post it, the update went live on freebsd-update about 3 hours ago. ... and there's also @freebsdsecurity, though I'm not sure as to the regularity with which it's updated, or if it's official or not.

Add to Favourites Print this Article