[NEWS] Unsecure ELF RPATH In CVSup Packages Allows User Privilege Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 02/03/04

  • Next message: SecuriTeam: "[NT] Cumulative Security Update For Internet Explorer (MS04-004)" 
    To: list@securiteam.com
Date: 3 Feb 2004 15:05:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Unsecure ELF RPATH In CVSup Packages Allows User Privilege Escalation
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.cvsup.org/> CVSup is a "software package for distributing and
    updating collections of files across a network. It can efficiently and
    accurately mirror all types of files, including sources, binaries, hard
    links, symbolic links, and even device nodes."
    Some dynamically linked binary builds of the CVSup package contain
    untrusted paths in the ELF RPATH fields of the executables.

    DETAILS

    Vulnerable Systems:
     * cvsup-16.1h-2.i386.rpm by Anthon van der Neut
     * cvsup-16.1h-43.i586.rpm by SUSE LINUX AG

    Immune Systems:
     * cvsup-16.1h-90.i586.rpm by SUSE LINUX AG
     * cvsup-16.1h FreeBSD 4 package
     * All statically linked builds such as cvsup-16.1d-LINUXLIBC6.tar.gz on
    FreeBSD mirrors

    Paths found include /home/anthon and /usr/src/packages. Those may be world
    writable on SuSE systems depending on the PERMISSIONS_SECURITY setting
    in/etc/sysconfig/security: easy is vulnerable in any case.
    Anyone with write access to one of the RPATH listed directories can
    potentially make cvsup or cvsupd link against a manipulated library at run
    time and hence execute his own code with the privileges of the user
    running the cvsup, cvsupd or cvpasswd programs.

    Checking for vulnerability:
    On ELF systems, objdump -p /usr/bin/cvsup | grep RPATH or readelf -d
    /usr/bin/cvsup | grep RPATH can be used to print the run-time library
    search path of an ELF object (executable or library). The result is either
    missing/empty or a colon-separated list of directories. All directories
    listed here and their parents up to the root of the file system should
    only be writable by the privileged user and nobody else.

    Solution:
    On SuSE Linux 9.0 and 8.2 for i386 architecture, replace the cvsup RPM by
    the SuSE Linux 9.0 upgrade RPM, cvsup-16.1h-90.i586.rpm. Solutions for
    other machines is unknown.

    The CVSup and Modula-3 configurations that were used to build the
    vulnerable cvsup packages should be checked carefully to identify which
    component leaked the RPATH into the executable. Automated package build
    systems for any distribution should check the ELF RPATH of all generated
    ELF objects before bundling the package and refuse to package of untrusted
    run-time library path components are found, for a reasonable definition of
    "trusted".

    Disclosure Timeline:
    2004-01-11 contacted SuSE Security and John D. Polstra
    2004-01-11 John D. Polstra removes link to Anthon van der Neut's packages
    from the CVSup FAQ
    2004-01-12 Thomas Biege of SuSE assures "fix ASAP"
    2004-01-19 SuSE release bugfixed RPM for SuSE Linux 9.0
    2004-01-21 contacted Anthon van der Neut by mail
    2004-01-26 no mail response, but reached Anthon van der Neut by telephone
    he added a note that the package is vulnerable, and added a link to the
    SuSE package, but he links to the outdated version
    2004-01-29 SuSE Security Announcement SuSE-SA:2004:004 mentions the cvsup
    fix and announces that the SuSE build system will be checking the RPATH.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:matthias.andree@gmx.de>
    Matthias Andree

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Cumulative Security Update For Internet Explorer (MS04-004)"

    Relevant Pages