FreeBSD 7-8 Exploit & Patch

Local Exploit ups right from the ordinary user to root.

http://seclists.org/fulldisclosure/2009/Nov/371

Launches the exploit from the user and get the root rights.

Patching:

cd /usr/src/libexec/rtld-elf
cp rtld.c rtld.c.bak
ee rtld.c

Find the part of the file:

if (!trust) {
unsetenv (LD_ «PRELOAD»);
unsetenv (LD_ «LIBMAP»);
unsetenv (LD_ «LIBRARY_PATH»);
unsetenv (LD_ «LIBMAP_DISABLE»);
unsetenv (LD_ «DEBUG»);

and change it to:

if (!trust) {
if (unsetenv (LD_ «PRELOAD») || unsetenv (LD_ «LIBMAP») ||
unsetenv (LD_ «LIBRARY_PATH») || unsetenv (LD_ «LIBMAP_DISABLE») ||
unsetenv (LD_ «DEBUG») || unsetenv (LD_ «ELF_HINTS_PATH»)) {
_rtld_error («environment corrupt; aborting»);
die ();
}
}

Next, write a make && make install, now you can check again exploit, it's work.