FreeBSD Security Advisories
2009-Dec-03 09:31 UTC
FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-SA-09:16.rtld Security Advisory The FreeBSD Project Topic: Improper environment sanitization in rtld(1) Category: core Module: rtld Announced: 2009-12-03 Affects: FreeBSD 7.0 and later. Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) CVE Name: CVE-2009-4146, CVE-2009-4147 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables. II. Problem Description When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing. III. Impact An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user. IV. Workaround No workaround is available, but systems without untrusted local users, where all the untrusted local users are jailed superusers, and/or where untrusted users cannot execute arbitrary code (e.g., due to use of read only and noexec mount options) are not affected. Note that "untrusted local users" include users with the ability to upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they may be able to exploit this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/libexec/rtld-elf # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). On amd64 systems where the i386 rtld are installed, the operating system should instead be recompiled as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html> VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/libexec/rtld-elf/rtld.c 1.124.2.7 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/libexec/rtld-elf/rtld.c 1.124.2.4.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/libexec/rtld-elf/rtld.c 1.124.2.3.2.2 RELENG_8 src/libexec/rtld-elf/rtld.c 1.139.2.4 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh 1.83.2.6.2.4 src/libexec/rtld-elf/rtld.c 1.139.2.2.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r199981 releng/7.2/ r200054 releng/7.1/ r200054 stable/8/ r199980 releng/8.0/ r200054 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4147 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ nhYAliVcz9tL8Ll6pYKpIalR740sZ5s=jK/a -----END PGP SIGNATURE-----
FreeBSD Security Advisories
2009-Dec-03 09:31 UTC
FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-SA-09:16.rtld Security Advisory The FreeBSD Project Topic: Improper environment sanitization in rtld(1) Category: core Module: rtld Announced: 2009-12-03 Affects: FreeBSD 7.0 and later. Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) CVE Name: CVE-2009-4146, CVE-2009-4147 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables. II. Problem Description When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing. III. Impact An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user. IV. Workaround No workaround is available, but systems without untrusted local users, where all the untrusted local users are jailed superusers, and/or where untrusted users cannot execute arbitrary code (e.g., due to use of read only and noexec mount options) are not affected. Note that "untrusted local users" include users with the ability to upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they may be able to exploit this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/libexec/rtld-elf # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). On amd64 systems where the i386 rtld are installed, the operating system should instead be recompiled as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html> VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/libexec/rtld-elf/rtld.c 1.124.2.7 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/libexec/rtld-elf/rtld.c 1.124.2.4.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/libexec/rtld-elf/rtld.c 1.124.2.3.2.2 RELENG_8 src/libexec/rtld-elf/rtld.c 1.139.2.4 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh 1.83.2.6.2.4 src/libexec/rtld-elf/rtld.c 1.139.2.2.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r199981 releng/7.2/ r200054 releng/7.1/ r200054 stable/8/ r199980 releng/8.0/ r200054 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4147 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ nhYAliVcz9tL8Ll6pYKpIalR740sZ5s=jK/a -----END PGP SIGNATURE-----
FreeBSD Security Advisories ha scritto:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================> FreeBSD-SA-09:16.rtld Security Advisory > The FreeBSD Project > > Topic: Improper environment sanitization in rtld(1) > > Category: core > Module: rtld > Announced: 2009-12-03 > Affects: FreeBSD 7.0 and later. > Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) > 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) > 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) > 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) > 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)Sorry, this might seem a stupid question, but... In several places I read that FreeBSD 6.x is NOT affected; however, I heard some people discussing how to apply the patch to such systems. So, I'd like to know for sure: is 6.x affected? Is another patch on the way for it? bye & Thanks av.
Any body can explain why no credit section for this advisory? On Thu, Dec 3, 2009 at 1:30 AM, FreeBSD Security Advisories <security-advisories@freebsd.org> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================> FreeBSD-SA-09:16.rtld ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Security Advisory > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?The FreeBSD Project > > Topic: ? ? ? ? ?Improper environment sanitization in rtld(1) > > Category: ? ? ? core > Module: ? ? ? ? rtld > Announced: ? ? ?2009-12-03 > Affects: ? ? ? ?FreeBSD 7.0 and later. > Corrected: ? ? ?2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) > ? ? ? ? ? ? ? ?2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) > ? ? ? ? ? ? ? ?2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) > ? ? ? ? ? ? ? ?2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) > ? ? ? ? ? ? ? ?2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) > CVE Name: ? ? ? CVE-2009-4146, CVE-2009-4147 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. ? Background > > The run-time link-editor, rtld, links dynamic executable with their > needed libraries at run-time. ?It also allows users to explicitly > load libraries via various LD_ environmental variables. > > II. ?Problem Description > > When running setuid programs rtld will normally remove potentially > dangerous environment variables. ?Due to recent changes in FreeBSD > environment variable handling code, a corrupt environment may > result in attempts to unset environment variables failing. > > III. Impact > > An unprivileged user who can execute programs on a system can gain > the privileges of any setuid program which he can run. ?On most > systems configurations, this will allow a local attacker to execute > code as the root user. > > IV. ?Workaround > > No workaround is available, but systems without untrusted local users, > where all the untrusted local users are jailed superusers, and/or where > untrusted users cannot execute arbitrary code (e.g., due to use of read > only and noexec mount options) are not affected. > > Note that "untrusted local users" include users with the ability to > upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they > may be able to exploit this issue. > > V. ? Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated > after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.1, 7.2, > and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 7.x] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc > > [FreeBSD 8.0] > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch > # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/libexec/rtld-elf > # make obj && make depend && make && make install > > NOTE: On the amd64 platform, the above procedure will not update the > ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). ?On > amd64 systems where the i386 rtld are installed, the operating system > should instead be recompiled as described in > <URL:http://www.FreeBSD.org/handbook/makeworld.html> > > VI. ?Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Revision > ?Path > - ------------------------------------------------------------------------- > RELENG_7 > ?src/libexec/rtld-elf/rtld.c ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.124.2.7 > RELENG_7_2 > ?src/UPDATING ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.507.2.23.2.8 > ?src/sys/conf/newvers.sh ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.72.2.11.2.9 > ?src/libexec/rtld-elf/rtld.c ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.124.2.4.2.2 > RELENG_7_1 > ?src/UPDATING ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1.507.2.13.2.12 > ?src/sys/conf/newvers.sh ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.72.2.9.2.13 > ?src/libexec/rtld-elf/rtld.c ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.124.2.3.2.2 > RELENG_8 > ?src/libexec/rtld-elf/rtld.c ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.139.2.4 > RELENG_8_0 > ?src/UPDATING ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1.632.2.7.2.4 > ?src/sys/conf/newvers.sh ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?1.83.2.6.2.4 > ?src/libexec/rtld-elf/rtld.c ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 1.139.2.2.2.2 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Revision > - ------------------------------------------------------------------------- > stable/7/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? r199981 > releng/7.2/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? r200054 > releng/7.1/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? r200054 > stable/8/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? r199980 > releng/8.0/ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? r200054 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4146 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4147 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/ > nhYAliVcz9tL8Ll6pYKpIalR740sZ5s> =jK/a > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Dmitry Pryanishnikov
2009-Dec-03 20:18 UTC
FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
> Just in case there is some other way of exploiting the fact that rtld.c didn't > check whether unsetenv was successful (which I bet people are now looking for) > I'd apply the patch to 6.3 and 6.4 also, just to be sure.Well, they can search as long as they wish - _but_ there's just nothing to search: void unsetenv(name) const char *name; { extern char **environ; char **p; int offset; while (__findenv(name, &offset)) /* if set multiple times */ for (p = &environ[offset];; ++p) if (!(*p = *(p + 1))) break; } So unsetenv in 6.* just won't return until __findenv(name) returns NULL - but then __findenv() will return NULL next time in getenv(name). So we had robust, consistent implementation in 6.* and before; now we haven't ;( Sincerely, Dmitry -- nic-hdl: LYNX-RIPE
Dmitry Pryanishnikov
2009-Dec-03 20:18 UTC
FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
Hello!> The change that introduced the bug was made as follows: > > | Revision 1.124: download - view: text, markup, annotated - select for diffs > | Thu May 17 18:00:27 2007 UTC (2 years, 6 months ago) by csjp > | Branches: MAIN...> This was also ported MFC'd into 6.3 onwards:...> So, yes, FreeBSD 6.3-RELEASE upwards are affected - FreeBSD 6.2 isn't.Well, not exactly. This change introduces vulnerability _only_ if *env() implementation allows to create an environment, in which unsetenv(X) will fail but getenv(X) will still work. RELENG_6 luckily uses old, legacy, but _consistent_ *env() implementation which just uses the same variable search routine __findenv() both in getenv() and unsetenv(). So IMHO the advisory is correct, and there is no need to patch 6.*. Sincerely, Dmitry -- nic-hdl: LYNX-RIPE
Hello all, First of all this was a real quick patch time for the rtld bug. Nevertheless I have to say some things about the patch. In my eyes the first quickpatch sent out in the first place when the exploit was posted on bugtraq did for sure fix the bug that let one slip through rtld and become root. I don't think the final patch did patch the root cause though, I know it's up to the FreeBSD Team to give out advisories and patch bugs. I just give my opinion on the bug here. unsetenv FAILS to unset the environment variable, so why is this? Because of the bug that let corrupt the environment. So in my opinion it is not sufficient to patch a code line in one place and leave other instances, where this bug may happen, open to the bug. Env calls are used widely. I did some more auditing and found out that putenv and setenv also FAILS on setting environment variables when the environ array variable is modified directly to corrupt the environment. So it would be possible to set an environment variable which in this case is not UNSETABLE or SETABLE (unsetenv and putenv/setenv respectively), in my eyes this is a bad behaviour of the enviroment handling routines introduced recently in FreeBSD. So the bug is not only in not checking the return values, but also in the code that lets one refuse to set or unset envvars. I do my best to understand it correctly but may be wrong on this. I would be glad to see this fixed soon if not happend to this day, but as I said it's up to the FreeBSD Team that did a great job here. Regards, Nikolaos Rangos
Dmitry Pryanishnikov
2009-Dec-04 22:30 UTC
FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
Hello!> So it would be possible to set an > environment > variable which in this case is not UNSETABLE or SETABLE (unsetenv and > putenv/setenv > respectively), in my eyes this is a bad behaviour of the enviroment handling > routines > introduced recently in FreeBSD.Yes, this is a very dangerous situation when environmental variable can't be unset yet can be read. I would only understand that if we supported readonly variables. But officially we haven't them, yet virtually they can exist due to the corrupted environment ;( Generally speaking, IMHO, having destroying function that can fail is the thing which should be avoided if possible. Imagine free() which could fail... Sounds really weird, but current unsetenv() behaviour resembles that. Sincerely, Dmitry -- nic-hdl: LYNX-RIPE