Debian Bug report logs - #504516
/usr/local/lib is writable by group staff and in default search path

Package: tech-ctte; Maintainer for tech-ctte is Technical Committee <debian-ctte@lists.debian.org>;

Reported by: Milen Rangelov <gat3way@gat3way.eu>

Date: Tue, 4 Nov 2008 18:09:01 UTC

Severity: normal

Merged with 484841

Done: Don Armstrong <don@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#504516; Package libc6. (Tue, 04 Nov 2008 18:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Milen Rangelov <gat3way@gat3way.eu>:
New Bug report received and forwarded. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. (Tue, 04 Nov 2008 18:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Milen Rangelov <gat3way@gat3way.eu>
To: submit@bugs.debian.org
Subject: libc6 package allows for a potential root compromise to users in 'staff' group
Date: Tue, 4 Nov 2008 20:07:27 +0200
Package: libc6
Version: 2.7-15

Hello. I just noticed that the libc6 package included into the unstable and 
testing repositories has a misconfiguration that can potentially lead to a 
root compromise by any local user that belongs to 'staff' group (or that is 
able to write in /usr/local/lib somehow).

The problem is in that file: 
/etc/ld.so.conf.d/libc.conf

which contains:
# libc default configuration
/usr/local/lib

And the /usr/local/lib is writable by users in staff group by default.

While that group is intended to users that can compile/install software 
locally and do not need superuser rights, this thing will eventually grant 
them root privs quite easily.

If I am an intruder and got 'staff' group rights I would:

* compile a shared library named like some real one in /lib, declare some 
function which is declared in the real /lib one which executes arbitrary 
code.
* The library should imitate one that a suidroot binary is linked against
* wait until the superuser install a new .deb package or updates the system 
(since many .deb packages do a ldconfig in their post-install phase).
* execute the setuid binary and have my arbitrary code run with superuser 
privileges.

I have described a similar scenario there (sorry, it's not in English, but it 
should be kinda graspable):

http://www . gat3way . 
eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15

(cut the spaces in the URL).

It actually imitates the libselinux library and exploits the gpasswd to create 
a root-owned, suid setuid() wrapper for /bin/bash.

Hope that helps.




Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#504516; Package libc6. (Wed, 05 Nov 2008 06:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. (Wed, 05 Nov 2008 06:51:04 GMT) Full text and rfc822 format available.

Message #10 received at 504516@bugs.debian.org (full text, mbox):

From: Aurelien Jarno <aurelien@aurel32.net>
To: Milen Rangelov <gat3way@gat3way.eu>, 504516@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
Date: Wed, 5 Nov 2008 07:50:02 +0100
reassign 504516 general
thanks

On Tue, Nov 04, 2008 at 08:07:27PM +0200, Milen Rangelov wrote:
> Package: libc6
> Version: 2.7-15
> 
> Hello. I just noticed that the libc6 package included into the unstable and 
> testing repositories has a misconfiguration that can potentially lead to a 
> root compromise by any local user that belongs to 'staff' group (or that is 
> able to write in /usr/local/lib somehow).
> 
> The problem is in that file: 
> /etc/ld.so.conf.d/libc.conf
> 
> which contains:
> # libc default configuration
> /usr/local/lib

This is not a misconfiguration, the goal is to be consistent with the
default path and the default include path of gcc.

> And the /usr/local/lib is writable by users in staff group by default.
> 
> While that group is intended to users that can compile/install software 
> locally and do not need superuser rights, this thing will eventually grant 
> them root privs quite easily.

Yes, but nothing new.

> If I am an intruder and got 'staff' group rights I would:
> 
> * compile a shared library named like some real one in /lib, declare some 
> function which is declared in the real /lib one which executes arbitrary 
> code.
> * The library should imitate one that a suidroot binary is linked against
> * wait until the superuser install a new .deb package or updates the system 
> (since many .deb packages do a ldconfig in their post-install phase).
> * execute the setuid binary and have my arbitrary code run with superuser 
> privileges.
> 
> I have described a similar scenario there (sorry, it's not in English, but it 
> should be kinda graspable):
> 
> http://www . gat3way . 
> eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15
> 
> (cut the spaces in the URL).
> 

Even with etch it was possible to drop a binary in /usr/local/bin and
/usr/local/sbin which will then be used by all users, including root.
No changes here, you have to trust the users from group staff.

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net




Bug reassigned from package `libc6' to `general'. Request was from Aurelien Jarno <aurelien@aurel32.net> to control@bugs.debian.org. (Wed, 05 Nov 2008 06:51:05 GMT) Full text and rfc822 format available.

Bug reassigned from package `general' to `tech-ctte'. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Wed, 05 Nov 2008 07:33:02 GMT) Full text and rfc822 format available.

Changed Bug title to `/usr/local/lib is writable by group staff and in default search path' from `libc6 package allows for a potential root compromise to users in 'staff' group'. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Wed, 05 Nov 2008 07:33:03 GMT) Full text and rfc822 format available.

Merged 484841 504516. Request was from Russ Allbery <rra@debian.org> to control@bugs.debian.org. (Wed, 05 Nov 2008 07:33:05 GMT) Full text and rfc822 format available.

Disconnected #504516 from all other report(s). Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sat, 25 Jul 2009 13:27:07 GMT) Full text and rfc822 format available.

Merged 484841 504516. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sat, 25 Jul 2009 13:27:11 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 23 Aug 2009 07:30:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 12:38:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.