[NEWS] Unsecure ELF RPATH In CVSup Packages Allows User Privilege Escalation
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 3 Feb 2004 15:05:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Unsecure ELF RPATH In CVSup Packages Allows User Privilege Escalation
<http://www.cvsup.org/> CVSup is a "software package for distributing and
updating collections of files across a network. It can efficiently and
accurately mirror all types of files, including sources, binaries, hard
links, symbolic links, and even device nodes."
Some dynamically linked binary builds of the CVSup package contain
untrusted paths in the ELF RPATH fields of the executables.
* cvsup-16.1h-2.i386.rpm by Anthon van der Neut
* cvsup-16.1h-43.i586.rpm by SUSE LINUX AG
* cvsup-16.1h-90.i586.rpm by SUSE LINUX AG
* cvsup-16.1h FreeBSD 4 package
* All statically linked builds such as cvsup-16.1d-LINUXLIBC6.tar.gz on
Paths found include /home/anthon and /usr/src/packages. Those may be world
writable on SuSE systems depending on the PERMISSIONS_SECURITY setting
in/etc/sysconfig/security: easy is vulnerable in any case.
Anyone with write access to one of the RPATH listed directories can
potentially make cvsup or cvsupd link against a manipulated library at run
time and hence execute his own code with the privileges of the user
running the cvsup, cvsupd or cvpasswd programs.
Checking for vulnerability:
On ELF systems, objdump -p /usr/bin/cvsup | grep RPATH or readelf -d
/usr/bin/cvsup | grep RPATH can be used to print the run-time library
search path of an ELF object (executable or library). The result is either
missing/empty or a colon-separated list of directories. All directories
listed here and their parents up to the root of the file system should
only be writable by the privileged user and nobody else.
On SuSE Linux 9.0 and 8.2 for i386 architecture, replace the cvsup RPM by
the SuSE Linux 9.0 upgrade RPM, cvsup-16.1h-90.i586.rpm. Solutions for
other machines is unknown.
The CVSup and Modula-3 configurations that were used to build the
vulnerable cvsup packages should be checked carefully to identify which
component leaked the RPATH into the executable. Automated package build
systems for any distribution should check the ELF RPATH of all generated
ELF objects before bundling the package and refuse to package of untrusted
run-time library path components are found, for a reasonable definition of
2004-01-11 contacted SuSE Security and John D. Polstra
2004-01-11 John D. Polstra removes link to Anthon van der Neut's packages
from the CVSup FAQ
2004-01-12 Thomas Biege of SuSE assures "fix ASAP"
2004-01-19 SuSE release bugfixed RPM for SuSE Linux 9.0
2004-01-21 contacted Anthon van der Neut by mail
2004-01-26 no mail response, but reached Anthon van der Neut by telephone
he added a note that the package is vulnerable, and added a link to the
SuSE package, but he links to the outdated version
2004-01-29 SuSE Security Announcement SuSE-SA:2004:004 mentions the cvsup
fix and announces that the SuSE build system will be checking the RPATH.
The information has been provided by <mailto:firstname.lastname@example.org>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.