Just days after FreeBSD 8.0 was released,
the FreeBSD developers were undoubtedly unhappy to see a "zero day" exploit posted on the Bugtraq
mailing list. The exploit is for a local privilege escalation
vulnerability in the runtime loader (rtld) that allows unprivileged users
to become root. The vulnerability and patch highlight
the need for code—particularly security enforcing code—to check
the return values of functions that get called.
The exploit essentially creates a broken environment, such that
unsetenv() cannot delete variables from that environment. Because
unsetenv() is unable to remove variables like LD_PRELOAD
from the environment, rtld fails to do so when running a
setuid(0) binary such as ping. But, as the patch shows,
rtld could have recognized the situation by checking the return value from
unsetenv(). By not doing so, a security feature can easily be
circumvented.
LD_PRELOAD allows users to specify libraries they want
loaded before the executable. This is typically used to load previous
versions, debugging aids (like malloc()/free() tracking),
and things of that sort.
Clearly setuid() binaries should not be linked to arbitrary,
user-controlled
libraries at runtime. In the case of the exploit, the shared library used
simply spawns a shell from the _init() call. That shell has the
effective user id of root because the loader kernel has already called
setuid() for the ping binary.
It is common for programmers to ignore return values for functions that
"can't fail", but that is a dangerous practice. It is worse when it
happens in code that runs with privileges. Something similar occurred with
the (badly named) "sendmail
capabilities bug", which was really a problem with the Linux kernel
capabilities implementation. But, had sendmail been more defensive and
checked the return code from setuid() when it was dropping
privileges—something that "can't fail"—a much bigger problem
would have been averted.
If the person writing the system or library call believed that the call
can't fail, they would presumably have made it a void function.
That's not to say that those programmers—or committees like
POSIX—are immune from bugs or bad
decisions, but callers should heed their intent. It's a difficult problem,
though, as it is sometimes unclear what the program should do if something
that can't fail does fail. Worse yet, without some kind of
comprehensive fault-injection framework, those error paths are difficult to
test. But, at least for privileged code, the problem can't be ignored.
This particular problem has existed in FreeBSD since version 7.0, released
in February 2008. A pre-advisory with the
patch was released by FreeBSD within a few hours of the Bugtraq posting.
A full advisory and update is expected soon. In the meantime, this should
serve as something of an object lesson for others; hopefully that will lead
to developers scrutinizing existing code for similar issues, while also
helping to remind programmers not to make that kind of mistake in any
future code they write.
Light Blue Touchpaper previews a paper [PDF] describing the Open Vote Network protocol that would allow anonymous voting under a system of total communications surveillance. "In the Open Vote Network protocol, all communication data is open, and publicly verifiable. The protocol provides the maximum protection of the voter's privacy; only a full collusion can break the privacy. In addition, the protocol is exceptionally efficient. It compares favorably to past solutions in terms of the round efficiency, computation load and bandwidth usage, and has been close to the best possible in each of these aspects."
From the Mandriva advisory:
Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5
before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3,
and 9.0.x through 9.3.x with DNSSEC validation enabled and checking
disabled (CD), allows remote attackers to conduct DNS cache poisoning
attacks via additional sections in a response sent for resolution
of a recursive client query, which is not properly handled when the
response is processed at the same time as requesting DNSSEC records
(DO).
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of
certain directories at installation time, which allows local users to
access arbitrary user accounts by replacing the auth socket, related
to the parent directories of the base_dir directory, and possibly
the base_dir directory itself (CVE-2009-3897).
Robert Buchholz of the Gentoo Security Team reported that dstat
includes the current working directory and subdirectories in the Python
module search path (sys.path) before calling "import".
A local attacker could entice a user to run "dstat" from a directory
containing a specially crafted Python module, resulting in the
execution of arbitrary code with the privileges of the user running the
application.
A buffer overflow flaw was found in the kdelibs string to floating point
conversion routines. A web page containing malicious JavaScript could crash
Konqueror or, potentially, execute arbitrary code with the privileges of
the user running Konqueror. (CVE-2009-0689)
All versions of libtool prior to 2.2.6b suffers from a local
privilege escalation vulnerability that could be exploited under
certain conditions to load arbitrary code (CVE-2009-3736).
Bogdan Calin discovered that PHP did not limit the number of temporary
files created when handling multipart/form-data POST requests. A remote
attacker could exploit this flaw and cause the PHP server to consume all
available resources, resulting in a denial of service.
It was discovered that PHP did not properly enforce restrictions in the
proc_open function. An attacker could exploit this issue to bypass
safe_mode_protected_env_vars restrictions and possibly execute arbitrary
code with application privileges.
From the Debian advisory:
A flaw in the ini_restore() function could lead to a memory
disclosure, possibly leading to the disclosure of sensitive data.
PEAR's Mail class did not properly escape content of mail header fields, when using the sendmail backend. A remote attacker could send an email message, with specially-crafted headers to a local user, leading to disclosure of content and potentially, to modification of arbitrary system file, once the email message was processed by the PEAR's Mail class.
Several integer overflows, buffer overflows and memory allocation
errors were discovered in the Poppler PDF rendering library, which may
lead to denial of service or the execution of arbitrary code if a user
is tricked into opening a malformed PDF document.
Dissector problems in TLS (CVE-2009-3243), Paltalk (CVE-2009-3549), and SMB (CVE-2009-3551).
From the Gentoo advisory:
A remote attacker could entice a user to open a specially crafted "erf"
file using Wireshark, possibly resulting in the execution of arbitrary
code with the privileges of the user running the application. A remote
attacker could furthermore send specially crafted packets on a network
being monitored by Wireshark or entice a user to open a malformed
packet trace file using Wireshark, possibly resulting in a Denial of
Service.
