OpenBSD LD.SO Local Environment Variable Clearing Vulnerability

Bugtraq ID:	21188
Class:	Design Error
CVE:	CVE-2006-6164
Remote:	No
Local:	Yes
Published:	Nov 20 2006 12:00AM
Updated:	Jul 06 2016 02:40PM
Credit:	Mark Dowd, John McDonald, and Justin Schuh are credited with discovering this issue.
Vulnerable:	OpenBSD OpenBSD 4.0 OpenBSD OpenBSD 3.9
Not Vulnerable:

OpenBSD LD.SO Local Environment Variable Clearing Vulnerability

OpenBSD is prone to a local vulnerability that may allow attackers to pass malicious environment variables to applications, bypassing expected security restrictions.

Attackers may be able to exploit this issue to execute arbitrary code with elevated privileges.

This issue affects OpenBSD 3.9 and 4.0; prior versions may also be affected.

OpenBSD LD.SO Local Environment Variable Clearing Vulnerability

The following proo-of-concept example is available:

• /data/vulnerabilities/exploits/21188.txt

OpenBSD LD.SO Local Environment Variable Clearing Vulnerability

Solution:
OpenBSD has released source-code patches to address this issue. Please see the references for more information.


OpenBSD OpenBSD 4.0

• OpenBSD 005_ldso.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/005_ldso.patch

OpenBSD OpenBSD 3.9

• OpenBSD 016_ldso.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/016_ldso.patch

OpenBSD LD.SO Local Environment Variable Clearing Vulnerability

References:

• OpenBSD Errata Page (OpenBSD)
  
• OpenBSD Homepage (OpenBSD)
  
• Lack of environment sanitization in the FreeBSD, OpenBSD, NetBSD dynamic loaders (In Cognito)