Root exploit for FreeBSD
An exploit for FreeBSD is in circulation that allows users with restricted access to escalate their privileges to root level. The problem is caused by a flaw in the run-time link editor (rtld) which, in certain circumstances, accepts specially crafted environment variables. According to Kingcope, the developer of the exploit, the flaw is "incredibly easy" to exploit by, for example, setting a path to a specially crafted library for the LD_PRELOAD environment variable and then starting an SUID program like Ping.
LD_PRELOAD instructs the loader to load additional libraries when starting a program – regardless of what was specified during compilation. The library will be executed at the same privilege level as the SUID program. As a consequence, SUID programs tend to ignore user-defined environment variables like LD_PRELOAD for security reasons.
An attacker could, for instance, exploit the hole to compromise an entire server via vulnerabilities in web applications which would normally run at a restricted privilege level. FreeBSD 8.0-RELEASE and FreeBSD 7.1-RELEASE are affected. FreeBSD 6.3-RELEASE and FreeBSD 4.9-RELEASE are not vulnerable.
Due to the urgency of the matter, FreeBSD's security officer Colin Percival has released a patch without publishing the generally obligatory advisory, which is to follow on Wednesday. However, Percival pointed out that the patch hasn't been finalised and is still subject to change. The security officer also said that the patch hasn't been fully tested and that there is no guarantee that it will fully fix the hole, or that it will not introduce further issues.
- FreeBSD-Announce] Upcoming FreeBSD Security Advisory, a report from Colin Percival.
- FreeBSD local r00t zeroday , a description of the exploit by Kingcope.