Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!newsxfer3.itd.umich.edu!agate!cal.alumni.berkeley.edu!nickkral From: nickkral@cal.alumni.berkeley.edu (Nick Kralevich) Newsgroups: comp.os.linux.advocacy,comp.unix.bsd.misc,comp.os.linux.misc Subject: Re: Linux vs BSD Date: 7 Feb 1997 14:04:35 GMT Organization: California Alumni Association (http://www.alumni.berkeley.edu) Lines: 63 Message-ID: <5dfcpj$t45@agate.berkeley.edu> References: <32DFFEAB.7704@usa.net> <KETIL-ytqiv47v56j.fsf@pinro.imr.no> <5daavp$8lp@panix2.panix.com> <KETIL-ytqbu9yfheu.fsf@imr.no> NNTP-Posting-Host: cal.alumni.berkeley.edu Xref: euryale.cc.adfa.oz.au comp.os.linux.advocacy:82676 comp.unix.bsd.misc:2321 comp.os.linux.misc:156602 In article <KETIL-ytqbu9yfheu.fsf@imr.no>, Ketil Z Malde <ketil@imr.no> wrote: >Except for a couple of emulations? Perhaps BSD is bug free, and has >always been so. I'm suprised that no one has mentioned that all current FreeBSD releases have a bug that allows ANY suid program to be used to gain root access. Or the fact that FreeBSD security holes aren't even posted to the FreeBSD newsgroup. *sigh* Take care, -- Nick Kralevich nickkral@cal.alumni.berkeley.edu ----- Begin ----- From tqbf@enteract.com Fri Feb 7 06:02:29 1997 Date: Sun, 2 Feb 1997 23:54:54 -0600 From: "Thomas H. Ptacek" <tqbf@enteract.com> To: BUGTRAQ@netspace.org Subject: Critical Security Problem in 4.4BSD crt0 There is a critically important security problem in FreeBSD 2.1.5's C runtime support library that will enable anyone with control of the environment of a process to cause it to execute arbitrary code. All executable SUID programs on the system are vulnerable to this problem. The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the "main()" entry point function in the program that is starting, will under some circumstances call routines that set the "locale" of the program. The routines that do this are heavily dependant on environment variables, which are in some circumstances copied directly into local character buffers on the stack of the locale routines. An immediately exploitable problem is evident in "startup_setrunelocale()", which, if certain environment variables are set, will copy the value of "PATH_LOCALE" directly into a 1024 byte buffer on the routine's stack. An attacker simply needs to insert machine code and virtual memory addresses into the "PATH_LOCALE" variable, enable startup locale processing, and run an SUID program. On FreeBSD 2.1.5, startup locale processing is enabled by setting the environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is called if the environment variable "LC_CTYPE" is set as well. An exploit to this problem was written in less than 5 minutes. It's a completely typical stack overrun. There is at least one report of individuals activing exploiting this problem on the net. FreeBSD 2.2-BETA, as well as OpenBSD, seem to have this problem resolved. FreeBSD's crt0 start() function does not process locales and is thus not vulnerable to this problem. I have seen no announcements from the FreeBSD team about 2.2's resolution to the problem, or 2.1.5's vulnerability, and can only assume that they are unaware of it. Thanks to Michael Scher at U.S. Host for information about this problem. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."