SunOS 4.1.2 and earlier allows local users to gain privileges via "LD_*" environmental variables to certain dynamically linked setuid or setgid programs such as (1) login, (2) su, or (3) sendmail, that change the real and effective user ids to the same user.
SunOS 4.1.2 and earlier systems are vulnerable to a local privilege escalation via the manipulation of environment variables. Attackers can leverage this flaw to elevate their privileges to those of the setuid or setgid program, potentially gaining root access and complete control of the compromised system. This vulnerability allows attackers to bypass standard security measures and execute arbitrary code with elevated permissions, posing a significant security risk.
Step 1: Environment Variable Setup: The attacker sets environment variables like LD_LIBRARY_PATH or LD_PRELOAD to point to a malicious shared library they control. This library will contain the attacker's payload (e.g., a shell with elevated privileges).
Step 2: Program Execution: The attacker executes a vulnerable setuid or setgid program (e.g., login, su, or sendmail).
Step 3: Dynamic Linking: The vulnerable program, during its initialization, uses the dynamic linker to load shared libraries. Because of the attacker's environment variables, the dynamic linker loads the attacker's malicious shared library instead of the legitimate one.
Step 4: Payload Execution: The attacker's malicious shared library code is executed with the privileges of the setuid/setgid program (e.g., root).
Step 5: Privilege Escalation: The attacker's payload, now running with elevated privileges, can perform actions such as creating a root shell, modifying system files, or installing backdoors.
The vulnerability stems from a flaw in how dynamically linked setuid/setgid programs in SunOS 4.1.2 and earlier handle environment variables, specifically those prefixed with LD_*. These variables control the dynamic linker's behavior, including the search path for shared libraries. The core issue is that the vulnerable programs, such as login, su, and sendmail, change the real and effective user IDs to the same user without properly sanitizing the environment. Attackers can manipulate LD_* variables to point to malicious shared libraries. When the setuid/setgid program loads these libraries, it executes attacker-controlled code with elevated privileges. This is a classic example of a library injection vulnerability, exploiting the trust placed in the dynamic linker and the lack of proper input validation on environment variables. The root cause is the insecure handling of environment variables during the transition of user IDs, allowing the attacker to influence the program's execution flow.