Beautiful OpenBSD Root Exploit Published

From LinuxReviews
Jump to navigationJump to search
OpenBSD.png

Cloud provider Qualys published a beautiful Local Privilege Escalation exploit for recent versions of the OpenBSD on Wednesday the 12th of December. Any regular account can get full root access on a default installation. The OpenBSD developer team, lead by Theo de Raadt, were so embarrassed by this that they created a patch which fixes the vulnerability in less than 3 hours.

published 2019-12-13last edited 2020-01-30

OpenBSD.png

The exploit, published on seclists.org with the title Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726), is quite ingenious and beautiful. The proof-of-concept root exploit tricks the system library loader ld.so into loading what should have been a system library from the current folder. It's worth reading through the proof of concept if you enjoy beautiful and clever exploits.

The security-focused OpenBSD team were so embarrassed that they worked for 3 hours strait in order to create a patches for OpenBSD which fixes all the security holes used by this exploit. OpenBSD users should probably upgrade. The creators of the proof-of-concept tested it on OpenBSD 6.6 (current release) as well as 6.5, 6.2 and 6.1 - on both amd64 and i386.

This is the second enjoyable security-flaw Qualys has found this month; the first being "Authentication vulnerabilities in OpenBSD" published on December 5th. Those vulnerabilities can be used to bypass remote authentication for smtpd, ldapd and even su - but you can't get root using su, only switch users. sshd has it's own built-in defenses so it was also not affected. smtpd can be abused to send spam mail - so unpatched OpenBSD boxes mail-servers being wide open to attacks is a problem.

You should absolutely make sure you system is up-to-date if you are using OpenBSD.

0.00
(0 votes)

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.