From nobody@FreeBSD.org  Sun Mar  4 06:43:44 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BFFFF16A401
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  4 Mar 2007 06:43:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id A4F8913C481
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  4 Mar 2007 06:43:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l246hiIh016256
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 4 Mar 2007 06:43:44 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l246hi1V016254;
	Sun, 4 Mar 2007 06:43:44 GMT
	(envelope-from nobody)
Message-Id: <200703040643.l246hi1V016254@www.freebsd.org>
Date: Sun, 4 Mar 2007 06:43:44 GMT
From: Guasconi Vincent<tyoptyop@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Security patch for rtld, a lack of environment sanitization
X-Send-Pr-Version: www-3.0

>Number:         109836
>Category:       kern
>Synopsis:       [rtld] [patch] Security patch for rtld, a lack of environment sanitization
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 04 06:50:03 GMT 2007
>Closed-Date:    Sat Jul 14 19:32:30 GMT 2007
>Last-Modified:  Sat Jul 14 19:32:30 GMT 2007
>Originator:     Guasconi Vincent
>Release:        7.0
>Organization:
Student
>Environment:
FreeBSD 7.0-CURRENT-200609 (GENERIC)
>Description:
Hi!

I'm french so excuse my english :p.
Here's a security problem I solved (I think).

<---------->
Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD
dynamic loaders.

Impact:  Serious. May lead to privilege escalation.

A class of security vulnerabilities has resurfaced in the dynamic loaders
of FreeBSD, OpenBSD, and NetBSD in the sanitization of environment
variables for suid and sgid binaries.
[...]
Due to either badly implemented sanitization or a lack of it, a setuid
binary may execute other processes with a tainted environment.

No attempt is made to clear dangerous variables. The
FreeBSD dynamic loaders simply do not process the variables
when ruid does not equal euid.
<---------->
complete source :
http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050829.html


Already fix in NetBSD since 3 months :
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/rtld.c.diff?r1=1.110&r2=1.111&f=h

-- 
Guasconi Vincent
French student.
http://altmylife.blogspot.com [fr]

>How-To-Repeat:

vulnerable root-suid program example:

main()
{
 setuid(0);
 execl("/usr/bin/id","id",0);
}

evil shared library:

__attribute__ ((constructor)) main()
{
 printf("[+] Hello from shared library land\n");
 execle("/bin/sh","sh",0,0);
}

>Fix:

So here's the patch for libexec/rtld-elf/rtld.c 1.120 (my first so be cool ^-^).
I've test it on my FreeBSD 7.0-CURRENT-200609 (GENERIC),
it works perfectly.
I don't know if you need I reproduce it for 6.2? I'm not really aware of the procedure.


26c26
<  * $FreeBSD: src/libexec/rtld-elf/rtld.c,v 1.120 2007/01/09 17:50:05 jhb Exp $
---
>  * $FreeBSD: src/libexec/rtld-elf/rtld.c,v 1.120 2007/03/04 04:42:00 jhb Exp $
140a141,142
> static void rtld_env_destroyer(char **);
> static void rtld_unsetenv(const char *, char **);
360,361c362,366
<     } else
<       dangerous_ld_env = 0;
---
>     } else {
>       /* issetugid isn't able to catch a setuid() so... */
>       rtld_env_destroyer(env);
>       dangerous_ld_env = 0;
>     }
3325a3331,3374
> }
> 
> /* ... Let's start the war. */
> /* env destructor in case of issetugid, security fix. */
> static void
> rtld_env_destroyer(char **env)
> {
>  ld_debug = NULL;
>  ld_library_path = NULL;
>  libmap_disable = 0;
>  libmap_override = NULL;
>  ld_preload = NULL;
>  rtld_unsetenv(LD_ "DEBUG", env);
>  rtld_unsetenv(LD_ "LIBRARY_PATH", env);
>  rtld_unsetenv(LD_ "LIBMAP_DISABLE", env);
>  rtld_unsetenv(LD_ "LIBMAP", env);
>  rtld_unsetenv(LD_ "PRELOAD", env);
>  return ;
> }
> 
> /* Thanks to OpenBSD */
> /* unset all var occurences from env */
> static void
> rtld_unsetenv(const char *var, char **env)
> {
>   char *ep;
> 
>   while ((ep = *env)) {
>     const char *vp = var;
> 
>     while (*vp && *vp == *ep) {
>       vp++;
>       ep++;
>     }
>     if (*vp == '\0' && *ep++ == '=') {
>       char **P;
> 
>       for (P = env;; ++P)
>       if (!(*P = *(P + 1)))
>         break;
>     } else
>       env++;
>   }
>   return ;

Hope it helps. Thx in advance.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->secteam 
Responsible-Changed-By: simon 
Responsible-Changed-When: Sun Mar 4 12:40:30 UTC 2007 
Responsible-Changed-Why:  
Secteam will look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=109836 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/109836: commit references a PR
Date: Thu, 17 May 2007 18:00:38 +0000 (UTC)

 csjp        2007-05-17 18:00:28 UTC
 
   FreeBSD src repository
 
   Modified files:
     libexec/rtld-elf     rtld.c 
   Log:
   In the event a process is tainted (setuid/setgid binaries), un-set any
   potentially dangerous environment variables all together. It should be
   noted that the run-time linker will not honnor these environment variables
   if the process is tainted currently. However, once a child of the tainted
   process calls setuid(2), it's status as being tainted (as defined by
   issetugid(2)) will be removed. This could be problematic because
   subsequent activations of the run-time linker could honnor these
   dangerous variables.
   
   This is more of an anti foot-shot mechanism, there is nothing I am
   aware of in base that does this, however there may be third party
   utilities which do, and there is no real negative impact of clearing
   these environment variables.
   
   Discussed on:   secteam
   Reviewed by:    cperciva
   PR:             kern/109836
   MFC after:      2 weeks
   
   Revision  Changes    Path
   1.124     +20 -10    src/libexec/rtld-elf/rtld.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: csjp 
State-Changed-When: Thu May 17 18:21:18 UTC 2007 
State-Changed-Why:  
This is been fixed in HEAD, we will merge this into 
-STABLE in a couple weeks. 

Thanks for your report. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=109836 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/109836: commit references a PR
Date: Sat, 14 Jul 2007 19:04:09 +0000 (UTC)

 csjp        2007-07-14 19:04:00 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     libexec/rtld-elf     rtld.c 
   Log:
   MFC rtld.c revision 1.124
   
   Unset potentially harmful environment variables.
   
   Discussed on:   seacteam
   PR:             kern/109836
   
   Revision   Changes    Path
   1.106.2.7  +20 -10    src/libexec/rtld-elf/rtld.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: csjp 
State-Changed-When: Sat Jul 14 19:32:02 UTC 2007 
State-Changed-Why:  
Fix has been merged into -STABLE 

http://www.freebsd.org/cgi/query-pr.cgi?pr=109836 
>Unformatted:
