TUCoPS :: BSD :: bsd156.htm

setlocale() - cause a shell to be executed
1st Jan 1996 [SBWID-156]





	    FreeBSD 2.1.x, 2.2 (prior to December 1996)




	    Thomas H. Ptacek  reported that anyone  who installed FreeBSD  2.2

	    prior to December of 1996 is vulnerable to locale routine problems

	    similar to  the one  that afflicts  crt0 start()  in FreeBSD 2.1.x

	    (take a look at crt0 bug on this page).


	    Specifically, You are  able to cause  a shell to  be executed from

	    any program that calls  setlocale() in FreeBSD 2.2.  Thomas tested

	    this out with dmesg, which promptly gave him an SGID "kmem" shell.

	    Note that programs  that shed privilege  using saved-set UIDs  are

	    vulnerable to this  problem as well,  as the machine  code used to

	    take over the affected programs can easily restore privilege.


	    The  setlocale()  call  contains  a  number  of potential exploits

	    through string  overflows during  environment variable  expansion.

	    Because  the  2.1.6  and   earlier  versions  of  FreeBSD   called

	    setlocale()  in  the  C  runtime  code,  the problem is especially

	    acute there  in that  it essentially  effects all  binaries on the

	    system.  In FreeBSD 2.2  BETA and later releases, the  setlocale()

	    call  was  removed  from  crt0.c  and  the  exploit closed through

	    additional checks.


	    The  setlocale()  library  function  looks  for  the   environment

	    variable "PATH_LOCALE" in  the current process's  environment, and

	    if it  exists, later  copies the  contents of  this variable  to a

	    stack  buffer  without  doing  proper  bounds  checking.  If   the

	    environment  variable  was  specially  initialized with the proper

	    amount and type of data prior  to running a setuid program, it  is

	    possible to cause  the program to  overflow its stack  and execute

	    arbitrary code  which could  allow the  user to  become root.  Any

	    binary linked on  a system with  setlocale() built into  crt0.c or

	    which  calls   setlocale()  directly   has  the   buffer   overrun

	    vulnerability.  If this binary has the setuid or setgid bits  set,

	    or is called by another  setuid/setgid binary (even if that  other

	    setuid/setgid   binary   does   not   have   this  vulnerability),

	    unauthorized access may be allowed.



	 Update (18 september 2002)



	Beleive it or not, but this issue existed until now in NetBSD too.  From
	NetBSD security advisory [2002-012: buffer overrun in setlocale] :

	The setlocale (or its subcontractor, __setlocale) function,  defined  in
	lib/libc/locale/setlocale.c, is  used  to  change  the  locale  of  each
	locale  category.  setlocale()  function  switches  the  locale  of  the
	category specified by the first argument to  the  second  argument.  The
	special category LC_ALL can be used to change all locale  categories  at
	the same time. In this case,  the  NetBSD  implementation  of  setlocale
	allows  a  special  form  of  the  second  argument  string  to  specify
	individual locales per category.

	In this form, each locale is given  in  a  single  string  separated  by
	slashes ('/'), as  "A/B/C/D/E/F".  Here,  each  element  corresponds  to
	LC_MESSAGES,  respectively.  The  setlocale()   function   attempts   to
	decomposit these elements into  an  array  object  named  new_categories
	locally defined in lib/libc/locale/setlocale.c.  However,  the  code  to
	check the array boundary was lacking and thus  this  decomposition  code
	could destroy data segment if a string  having  over  six  elements  was

	If the  program  which  has  set[ug]id  bit  or  which  is  called  from
	set[ug]id program calls setlocale() with LC_ALL as  the  first  argument
	and   with   the   string   derived   from   user-given    data    (e.g.
	setlocale(LC_ALL, getenv("FOO")) ) as the  second  argument,  then  such
	program could be exploitable. DefaultLanguageProc function of X  Toolkit
	Intrinsics (Xt) is a example of such  usage.  DefaultLanguageProc  calls
	setlocale as  "setlocale(LC_ALL,  xnl)".  Here,  xnl  variable  is  null
	string ("") by default, but can be overriden by user via -  -xnllanguage
	option. Most Xt programs, including xterm, use this language  procedure.
	xterm is a setuid root program and thus any local user  could  illegally
	acquire root account by using this problem.

	On the other hand, the frequently used special  form,  setlocale(LC_ALL,
	""), does not have this problem because the decomposition code is  never
	executed in this form, although user-given LC_ALL  environment  variable
	is similarly referred.


	    The  locale  routines  were  patched  at  the end of 1996 to cause

	    PATH_LOCALE (the environment variable who's contents are trampling

	    all over the stack frames of locale routines) to be ignored if the

	    euid  doesn't  match  the  uid;  the  patch  also avoids the stack

	    overrun by  allocating space  for the  variable on  the heap  with



	    People running FreeBSD revisions  that don't have this  patch will

	    want  to  make  sure  they've  applied  these  patches  as soon as

	    possible.   Vulnerability  can  easily  be  assessed  by   setting

	    LC_CTYPE,  filling  PATH_LOCALE  with  2000 random characters, and

	    attempting to run /sbin/dmesg (which will segfault if the  problem



	    FreeBSD  recommends  recompiling  libc  with the following patches

	    and then recompiling  all staticly linked  binaries (all in  /sbin

	    and /bin  as well  as chflags,  gunzip, gzcat,  gzip, ld,  tar and

	    zcat in /usr/bin) eliminates  this vulnerability in FreeBSD  2.1.6

	    and earlier releases:


	        However,  a  full  solution  may  require  a  re-link  of  all

	        setuid/setgid local binaries or  all local binaries likely  to

	        be  called  from  another  setuid/setgid  program  that   were

	        originally linked  statically under  one of  the affected OSs.

	        Dynamically  linked  executables  will  benefit  directly from

	        this patch  once libc  is rebuilt  and reinstalled  and do not

	        need to be relinked.


	    Because  of  the  severity  of  this  security hole, a full update

	    release  for  FreeBSD  2.1.6  will  also be released very shortly,

	    that release  being provisionally  assigned the  version number of

	    2.1.7.   Patch for this can be found at following address:








	Updates available, check : http://www.NetBSD.ORG/Security/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH