Debian Bug report logs - #590670
insecure setuid usage, local root exploit

version graph

Package: hsolink; Maintainer for hsolink is (unknown);

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Wed, 28 Jul 2010 11:12:02 UTC

Severity: critical

Tags: security

Found in version hsolink/1.0.118-3

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#590670; Package hsolink. (Wed, 28 Jul 2010 11:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. (Wed, 28 Jul 2010 11:12:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: insecure setuid usage, local root exploit
Date: Wed, 28 Jul 2010 13:09:06 +0200
[Message part 1 (text/plain, inline)]
Package: hsolink
Version: 1.0.118-3
Severity: critical
Tags: security

Hi,

Following was reported by Christian Jaeger.

----------

hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root.
The binary

- neither sets PATH
- nor fixes other environment variables
- nor checks commandline arguments
- but uses system(3)
(- and may be overflowing fixed-size buffers as well, I didn't check anymore)

and thus is a trivial target to get root, for example:

(I've tested from the files in an ar-unpacked .deb instead of
installing the deb, to avoid exposing my system. Note: apparently the
binary has to be at root-owned paths or the Linux kernel will ignore
the setuid bit.)

novo:~/chris# l -a
total 12
-rwsr-xr-x  1 root root  7072 2010-07-09 22:20 hsolinkcontrol
drwxr-x---  2 root chris   80 2010-07-09 22:55 .
drwxr-xr-x 50 root root  4272 2010-07-09 22:55 ..

chris@novo:/root/chris$ ./hsolinkcontrol down '; bash'
Using resolvconf.
root@novo:/root/chris# id
uid=0(root) gid=1000(chris) groups=.....

The setuid recommendation is coming from the upstream author
(http://www.pharscape.org/hsolinkcontrol.html), who apparently is not
aware of the implications of the setuid bit, and good security in
general as evidenced by the problems I've listed above. I have not
informed him of the problem [yet].

I don't know about the right solution; maybe using sudo instead of
setuit and adding commandline argument checking and replacing system
calls with fork/exec* calls. Or, to be safer, instead rather turn it
into a daemon. Iff it needs to be run as ordinary users at all--I'm
used to have to run "pon" as root, for example, the charge to enable a
normal user to run hsolinkcontrol (or the program that uses it) as
root (by setting up sudo, for example) could possibly just be left to
the user (I can't say as I haven't used the program yet).

----------

Debian has assigned CVE-2010-1671 to this issue.


Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Thu, 29 Jul 2010 21:51:04 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Thu, 29 Jul 2010 21:51:04 GMT) Full text and rfc822 format available.

Message #10 received at 590670-done@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 590670-done@bugs.debian.org
Subject: Re: insecure setuid usage, local root exploit
Date: Thu, 29 Jul 2010 17:46:00 -0400
On Wed, Jul 28, 2010 at 01:09:06PM +0200, Thijs Kinkhorst wrote:
> Package: hsolink
> Version: 1.0.118-3
> Severity: critical
> Tags: security
> 
> Hi,
> 
> Following was reported by Christian Jaeger.
> 
> ----------
> 
> hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root.
> The binary

I have filed a removal bug and hsolink has been removed (#590751).

Closing the bug.

Cheers,
        Moritz




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 27 Aug 2010 07:36:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:17:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.