ASA-2019-00669 – OpenBSD: Dynamic Loader Privilege Escalation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00669

Identifier(s)

ASA-2019-00669, CVE-2019-19726

Title

Dynamic Loader Privilege Escalation

Vendor(s)

The OpenBSD Project

Product(s)

OpenBSD

Affected version(s)

OpenBSD version 6.6 before errata 013
OpenBSD version 6.5 before errata 024

Fixed version(s)

OpenBSD version 6.6 errata 013
OpenBSD version 6.5 errata 024

OpenBSD versions 6.6 with the following patch applied:

OpenBSD 6.6 errata
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig

OpenBSD 6.5 errata
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/024_ldso.patch.sig

Proof of concept

Unknown

Description

OpenBSD  allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.

Technical details

Unknown

Credits

Qualys Research Team

Reference(s)

OpenBSD 6.6 Errata
https://www.openbsd.org/errata66.html

OpenBSD 6.5 Errata
https://www.openbsd.org/errata65.html

013_ldso.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig

024_ldso.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/024_ldso.patch.sig

ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
https://github.com/openbsd/src/commit/eee3c75f9abd5ea51e066dd0fe6b1efa470e4d0c

Don’t look up env variables until we know we’ll trust them. Otherwise, just delete them without looking.
https://github.com/openbsd/src/commit/4b65c70c5e05dc7a3d5ef502a5b4dc938ecf3bc5

oss-security – Local Privilege Escalation in OpenBSD’s dynamic loader
(CVE-2019-19726)
https://www.openwall.com/lists/oss-security/2019/12/11/9

Local Privilege Escalation in OpenBSD’s dynamic loader (CVE-2019-19726)
https://seclists.org/fulldisclosure/2019/Dec/31

CVE-2019-19726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19726

CVE-2019-19726
https://nvd.nist.gov/vuln/detail/CVE-2019-19726

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 18, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.