If you are a FreeBSD user then it’s patch time as a new exploit is published which gives attackers root access to machines.
The flaw affects versions 8.0 and 7.1 of FreeBSD.
The researcher, Kingcope, has posted an explanation of the flaw on the Full Disclosure mailing list:
The bug resides in the Run-Time Link-Editor (rtld). Normally rtld does not allow dangerous environment variables like LD_PRELOAD to be set when executing setugid binaries like “ping” or “su”. With a rather simple technique rtld can be tricked into accepting LD variables even on setugid binaries. See the attached exploit for details.
If that doesn’t make any sense to you (and I don’t blame you if it doesn’t), don’t worry, a patch has been published. Interestingly however, Colin Percival, the project’s security officer, felt that because of the severity of the flaw and the fact that exploit code exists, it was necessary to post the patch as soon as possible, without even publishing a security advisory:
“A short time ago a ‘local root’ exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root. Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues — in short, use at your own risk (even more than usual).”
It’s also worth pointing out that this is a local exploit, not one that an attacker can exploit remotely.
