Exploit published for FreeBSD local root vulnerability

The FreeBSD security team has rushed out a temporary patch to cover a local root vulnerability that exposes users to code execution attacks. The patch follows the public release of exploit code on the Full-Disclosure mailing list.

Here's a simple explanation of the problem from "Kingcope," the hacker who released the exploit:

The bug resides in the Run-Time Link-Editor (rtld). Normally rtld does not allow dangerous environment variables like LD_PRELOAD to be set when executing setugid binaries like "ping" or "su". With a rather simple technique rtld can be tricked into accepting LD variables even on setugid binaries.

FreeBSD security officer Colin Percival confirmed the issue could allow a local user to execute arbitrary code as root.  It affects FreeBSD versions 7.1 and 8.0.

Percival said FreeBSD patch is buyer-beware because it was rushed out on short notice.

Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues -- in short, use at your own risk (even more than usual).

The patch is available here.  See more from Threatpost's Dennis Fisher.