[VulnWatch] Security Announcement: untrusted ELF library path in some cvsup binary RPMs

From: Matthias Andree (matthias.andree_at_gmx.de)
Date: 01/29/04

  • Next message: Jos Osborne: "RE: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just Ahead?" 
    Date: Thu, 29 Jan 2004 15:17:46 +0100
To: security@suse.de, jdp@polstra.com, vulnwatch@vulnwatch.org, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    MA-SA-2004:02.ELF_RPATH

    Topic: Unsecure ELF RPATH allows user privilege escalation

    Announcement: MA-SA-2004-02
    Writer: Matthias Andree
    Version: 1.0
    Announced: 2004-01-29
    Type: local escalation of privileges
    Impact: vulnerability enables one user to run a process under
                    some other users's account credentials
    Danger: medium to high (depends on packager)
                    - privilege escalation possible,
                      program reads libraries from world-writable path (SuSE RPM)
                      or non-root writable path (Anthon van der Neut's RPM)

    Affects: - cvsup-16.1h-2.i386.rpm by Anthon van der Neut
                    - cvsup-16.1h-43.i586.rpm by SUSE LINUX AG
                    (this list does not claim to be complete)

    Not affected: - cvsup-16.1h-90.i586.rpm by SUSE LINUX AG
                    - cvsup-16.1h FreeBSD 4 package
                    - all statically linked builds such as
                      cvsup-16.1d-LINUXLIBC6.tar.gz on FreeBSD mirrors
                    (this list does not claim to be complete)

    0. Release history

    2004-01-21 0.1 first draft
    2004-01-29 1.0 first release, updated vendor contact

    1. Background

    CVSup is a "software package for distributing and updating collections
    of files across a network. It can efficiently and accurately mirror all
    types of files, including sources, binaries, hard links, symbolic links,
    and even device nodes." (quoting John D. Polstra, http://www.cvsup.org/)

    CVSup appears a registered trademark of John D. Polstra.

    This announcement deals with third-party RPM packages for SuSE Linux,
    neither with statically linked CVSup packages nor the CVSup software
    itself.

    2. Problem description

    Some dynamically linked binary builds of the CVSup package contain
    untrusted paths in the ELF RPATH fields of the executables, paths found
    include /home/anthon and /usr/src/packages (may be world writable on
    SuSE systems depending on the PERMISSIONS_SECURITY setting in
    /etc/sysconfig/security: easy is vulnerable in any case).

    3. Impact

    Anyone with write access to one of the RPATH listed directories can
    potentially make cvsup or cvsupd link against a manipulated library at
    run time and hence execute his own code with the privileges of the user
    running the cvsup, cvsupd or cvpasswd programs.

    4. Checking for vulnerability

    On ELF systems, "objdump -p /usr/bin/cvsup | grep RPATH" or
    "readelf -d /usr/bin/cvsup | grep RPATH" can be used to print the
    run-time library search path of an ELF object (executable or library).

    The result is either missing/empty or a colon-separated list of
    directories. All directories listed here and their parents up to the
    root of the file system should only be writable by the privileged user
    and nobody else.

    5. Solution

    On SuSE Linux 9.0 and 8.2 for i386 architecture, replace the cvsup RPM
    by the SuSE Linux 9.0 upgrade RPM, cvsup-16.1h-90.i586.rpm. Solutions
    for other machines is unknown.

    Ask your vendor if and only if you are entitled to security support.

    6. Future

    The CVSup and Modula-3 configurations that were used to build the
    vulnerable cvsup packages should be checked carefully to identify which
    component leaked the RPATH into the executable.

    Automated package build systems for any distribution should check the
    ELF RPATH of all generated ELF objects before bundling the package and
    refuse to package of untrusted run-time library path components are
    found, for a reasonable definition of "trusted". (see appendix B)

    A. References

    SuSE security information: http://www.suse.de/en/security/
    CVSup home page: http://www.cvsup.org/

    B. Vendor contacts (UTC dates) and actions, as far as known

    2004-01-11 contacted SuSE Security and John D. Polstra
    2004-01-11 John D. Polstra removes link to Anthon van der Neut's
                packages from the CVSup FAQ
    2004-01-12 Thomas Biege of SuSE assures "fix ASAP"
    2004-01-19 SuSE release bugfixed RPM for SuSE Linux 9.0
    2004-01-21 contacted Anthon van der Neut by mail
    2004-01-26 no mail response, but reached Anthon van der Neut by telephone
                he added a note that the package is vulnerable, and added a
                link to the SuSE package, but he links to the outdated version
    2004-01-29 SuSE Security Announcement SuSE-SA:2004:004 mentions the
                cvsup fix and announces that the SuSE build system will
                be checking the RPATH.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFAGRXovmGDOQUufZURAjNxAJ4x4epjbaN2o9zdRL27K/OIZ9D94QCgi/1N
    laOl0Ep5KLsUrtungqziLZA=
    =yPOA
    -----END PGP SIGNATURE-----

  • Next message: Jos Osborne: "RE: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just Ahead?"