CVE-2009-4146
published 2009-12-02CVE-2009-4146: The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment…
PriorityP334high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
3.90%
89.0th percentile
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment variable, which allows local users to gain privileges by executing a setuid or setguid program with a modified LD_PRELOAD variable containing an untrusted search path that points to a Trojan horse library, a different vector than CVE-2009-4147.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q9qx-32qq-p7r3: The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld
ghsa_unreviewed·2022-05-02·CVSS 7.2
CVE-2009-4146 [HIGH] GHSA-q9qx-32qq-p7r3: The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment variable, which allows local users to gain privileges by executing a setuid or setguid program with a modified LD_PRELOAD variable containing an untrusted search path that points to a Trojan horse library, a different vector than CVE-2009-4147.
GHSA
GHSA-fp7j-g85q-5q4q: The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld
ghsa_unreviewed·2022-05-02·CVSS 7.2
CVE-2009-4147 [HIGH] GHSA-fp7j-g85q-5q4q: The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld
The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1 and 8.0 does not clear the (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH environment variables, which allows local users to gain privileges by executing a setuid or setguid program with a modified variable containing an untrusted search path that points to a Trojan horse library, different vectors than CVE-2009-4146.
BSD
FreeBSD-SA-09:16.rtld: Improper environment sanitization in rtld(1)
bsd_advisories·2009-12-03·CVSS 7.2
CVE-2009-4146 [HIGH] FreeBSD-SA-09:16.rtld: Improper environment sanitization in rtld(1)
FreeBSD-SA-09:16.rtld Security Advisory
The FreeBSD Project
Topic: Improper environment sanitization in rtld(1)
Category: core
Module: rtld
Announced: 2009-12-03
Affects: FreeBSD 7.0 and later.
Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE)
2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE)
2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
CVE Name: CVE-2009-4146, CVE-2009-4147
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The run-time link-editor, rtld, links dynamic executable with their
needed libraries at run-time. It also allows us
No detection rules found.
Exploit-DB
FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
exploitdb·2009-11-30
CVE-2009-4147 FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
---
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 "BiG TiME"
"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-REL
Metasploit
FreeBSD rtld execl() Privilege Escalation
metasploit
FreeBSD rtld execl() Privilege Escalation
FreeBSD rtld execl() Privilege Escalation
This module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld `unsetenv()` function fails to remove `LD_*` environment variables if `__findenv()` fails. This can be abused to load arbitrary shared objects using `LD_PRELOAD`, resulting in privileged code execution. This module has been tested successfully on: FreeBSD 7.2-RELEASE (amd64); and FreeBSD 8.0-RELEASE (amd64).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.htmlhttp://people.freebsd.org/~cperciva/rtld.patchhttp://secunia.com/advisories/37517http://www.securityfocus.com/archive/1/508142/100/0/threadedhttp://www.securityfocus.com/archive/1/508146/100/0/threadedhttp://www.securityfocus.com/archive/1/508168/100/0/threadedhttp://www.securityfocus.com/bid/37154http://www.securitytracker.com/id?1023250http://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.htmlhttp://people.freebsd.org/~cperciva/rtld.patchhttp://secunia.com/advisories/37517http://www.securityfocus.com/archive/1/508142/100/0/threadedhttp://www.securityfocus.com/archive/1/508146/100/0/threadedhttp://www.securityfocus.com/archive/1/508168/100/0/threadedhttp://www.securityfocus.com/bid/37154http://www.securitytracker.com/id?1023250
2009-12-02
Published