Home page logo

bugtraq logo Bugtraq mailing list archives

Critical Security Problem in 4.4BSD crt0
From: tqbf () enteract com (Thomas H. Ptacek)
Date: Sun, 2 Feb 1997 23:54:54 -0600

There is a critically important security problem in FreeBSD 2.1.5's C
runtime support library that will enable anyone with control of the
environment of a process to cause it to execute arbitrary code. All
executable SUID programs on the system are vulnerable to this problem.

The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the
"main()" entry point function in the program that is starting, will under
some circumstances call routines that set the "locale" of the program. The
routines that do this are heavily dependant on environment variables,
which are in some circumstances copied directly into local character
buffers on the stack of the locale routines.

An immediately exploitable problem is evident in
"startup_setrunelocale()", which, if certain environment variables are
set, will copy the value of "PATH_LOCALE" directly into a 1024 byte buffer
on the routine's stack. An attacker simply needs to insert machine code
and virtual memory addresses into the "PATH_LOCALE" variable, enable
startup locale processing, and run an SUID program.

On FreeBSD 2.1.5, startup locale processing is enabled by setting the
environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is
called if the environment variable "LC_CTYPE" is set as well.

An exploit to this problem was written in less than 5 minutes. It's a
completely typical stack overrun. There is at least one report of
individuals activing exploiting this problem on the net.

FreeBSD 2.2-BETA, as well as OpenBSD, seem to have this problem resolved.
FreeBSD's crt0 start() function does not process locales and is thus not
vulnerable to this problem. I have seen no announcements from the FreeBSD
team about 2.2's resolution to the problem, or 2.1.5's vulnerability, and
can only assume that they are unaware of it.

Thanks to Michael Scher at U.S. Host for information about this problem.

Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"I'm standing alone, I'm watching you all, I'm seeing you sinking."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]