Vigil@nce: FreeBSD, privilege elevation via LD_PRELOAD
December 2009 by Vigil@nce
An local attacker can uses LD_PRELOAD in order to gain
administrator privileges.
– Severity: 2/4
– Consequences: administrator access/rights, privileged
access/rights, user access/rights
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/12/2009
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
The LD_PRELOAD environment variable instruct the kernel to load a
specified library in a program. The SUID and SGID bits
respectively mean that the program will run with the rights of the
owner and owner group of the file.
The _rtld() method of the file libexec/rtld-elf/rtld.c handle the
loading of a program. If it has the SUID and/or SGID bit enabled,
some potentially dangerous environment variable like LD_PRELOAD
are disabled. The unsetenv() method of the file
libc/stdlib/sysenv.c do the job. It can returns an error code. In
this case, the environment is not modified. However, _rtld() does
not checks the return code of unsetenv().
An local attacker can therefore uses LD_PRELOAD in order to gain
administrator privileges.
CHARACTERISTICS
– Identifiers: BID-37154, FreeBSD-SA-09:16.rtld, VIGILANCE-VUL-9230
– Url: http://vigilance.fr/vulnerability/FreeBSD-privilege-elevation-via-LD-PRELOAD-9230