Beautiful OpenBSD Root Exploit Published
Cloud provider Qualys published a beautiful Local Privilege Escalation exploit for recent versions of the OpenBSD on Wednesday the 12th of December. Any regular account can get full root access on a default installation. The OpenBSD developer team, lead by Theo de Raadt, were so embarrassed by this that they created a patch which fixes the vulnerability in less than 3 hours.
published 2019-12-13 - last edited 2020-01-30
The exploit, published on seclists.org with the title Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726), is quite ingenious and beautiful. The proof-of-concept root exploit tricks the system library loader
ld.so into loading what should have been a system library from the current folder. It's worth reading through the proof of concept if you enjoy beautiful and clever exploits.
The security-focused OpenBSD team were so embarrassed that they worked for 3 hours strait in order to create a patches for OpenBSD which fixes all the security holes used by this exploit. OpenBSD users should probably upgrade. The creators of the proof-of-concept tested it on OpenBSD 6.6 (current release) as well as 6.5, 6.2 and 6.1 - on both amd64 and i386.
This is the second enjoyable security-flaw Qualys has found this month; the first being "Authentication vulnerabilities in OpenBSD" published on December 5th. Those vulnerabilities can be used to bypass remote authentication for smtpd, ldapd and even su - but you can't get root using su, only switch users. sshd has it's own built-in defenses so it was also not affected. smtpd can be abused to send spam mail - so unpatched OpenBSD boxes mail-servers being wide open to attacks is a problem.
You should absolutely make sure you system is up-to-date if you are using OpenBSD.