Header Ads

Header Ads

FreeBSD critical security patch arrived

I.   Background

The run-time link-editor, rtld, links dynamic executable with their
needed libraries at run-time. It also allows users to explicitly
load libraries via various LD_ environmental variables.

II. Problem Description

When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.

III. Impact

An unprivileged user who can execute programs on a system can gain
the privileges of any setuid program which he can run. On most
systems configurations, this will allow a local attacker to execute
code as the root user.

Of course there is no workaround is available.
But finnaly the official patch for FreeBSD is arrived!

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc

[FreeBSD 8.0]
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/rtld-elf
# make obj && make depend && make && make install

There are few exploits circulating on the net that uses such vulnerability to gain access to local root on most FreeBSD systems.

No comments:

Copyright (c) 2012-2013 Unix Master. Powered by Blogger.