Summary:
Qualys researchers discovered a local privilege escalation vulnerability in OpenBSD’s dynamic loader (ld.so): this vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges to attackers who has a low privilege on the system.
Vulnerability:
In OpenBSD with a low memory conditions, “_dl_split_path” function (line 271) in “_dl_setup_env” returns NULL when max resources are reached. This allows the attackers to skip the environment variable unset at line 288.
262 void
263 _dl_setup_env(const char *argv0, char **envp)
264 {
…
271 _dl_libpath = _dl_split_path(_dl_getenv(“LD_LIBRARY_PATH”, envp));
…
283 _dl_trust = !_dl_issetugid();
284 if (!_dl_trust) { /* Zap paths if s[ug]id… */
285 if (_dl_libpath) {
286 _dl_free_path(_dl_libpath);
287 _dl_libpath = NULL;
288 _dl_unsetenv(“LD_LIBRARY_PATH”, envp);
289 }
After this, attackers can add an attacker-controlled directory into the library path. Finally ld.so searches for shared libraries in _dl_libpath (LD_LIBRARY_PATH) and loads attacker-controlled library from the current working directory. If a set-user-ID executable like chpass or passwd are executed. then the attacker-controlled library will be loaded as “set-user-id” root.
Proof of concept:
The exploit for this vulnerability is straightforward. So we believe active exploit may happen soon in the wild.
Mitigation:
OpenBSD developers published a patch for this vulnerability within less than 3 hours.
Since only the two most recent OpenBSD releases receive security and reliability fixes for the base system. We believe this issue should also affect old releases of OpenBSD. For those who are still running an unsupported vulnerable version of OpenBSD, the solution is to upgrade to the supported versions then apply a patch.
Qualys customers can scan their network with QID#372292 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
Reference:
https://www.openbsd.org/errata66.html
https://www.openbsd.org/errata65.html
https://www.qualys.com/research/security-advisories/