Debian Bug report logs - #690532
CVE-2012-2248: build system paths used in -DCLIENT_PATH

version graph

Package: isc-dhcp-client; Maintainer for isc-dhcp-client is Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>; Source for isc-dhcp-client is src:isc-dhcp.

Reported by: Michael Stapelberg <stapelberg@debian.org>

Date: Mon, 15 Oct 2012 09:36:02 UTC

Severity: critical

Tags: patch, security

Found in version isc-dhcp/4.2.2.dfsg.1-5

Fixed in versions isc-dhcp/4.2.2.dfsg.1-5+deb70u2, isc-dhcp/4.2.4-3

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>:
Bug#690532; Package isc-dhcp-client. (Mon, 15 Oct 2012 09:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Stapelberg <stapelberg@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>. (Mon, 15 Oct 2012 09:36:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Stapelberg <stapelberg@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-2248: backdoor for user "zero79" due to dhclient’s hook $PATH
Date: Mon, 15 Oct 2012 11:31:40 +0200
[Message part 1 (text/plain, inline)]
Package: isc-dhcp-client
Version: 4.2.2.dfsg.1-5
Severity: critical
Tags: security patch


While debugging another issue, Mithrandir, mbiebl and I stumbled upon
the following:

All hooks in /etc/dhcp/dhclient-enter-hooks.d, such as "samba" when the
samba package is installed, are called with a PATH environment variable
containing this:

PATH=/home/zero79/source/git/isc-dhcp/debian/tmp/usr/sbin:/sbin:/bin:/usr/sbin:/usr/bin

Since hooks (at least "samba") can call arbitrary commands and are
running as uid 0 (root), this poses a security issue when the following
assumptions are true:

1. The system you want to exploit has samba installed (or any other
   package which comes with a dhclient-enter-hook).
2. The attacker has the possibility of obtaining the username "zero79"
   and thus can create executable files in
   /home/zero79/source/git/isc-dhcp/debian/tmp/usr/sbin
3. The DHCP hook needs to be called to trigger the exploit, which
   happens at least on system start or after /etc/init.d/networking
   restart, possibly also when just renewing the dhcp-lease
   (unverified).

Here is a demonstration of this issue:

zero79@squeezevm:~$ id -a
uid=1001(zero79) gid=1001(zero79) groups=1001(zero79)
zero79@squeezevm:~$ mkdir -p source/git/isc-dhcp/debian/tmp/usr/sbin
zero79@squeezevm:~$ cat >source/git/isc-dhcp/debian/tmp/usr/sbin/mv <<'EOF'
#!/bin/sh
echo "my script is run as: $(whoami) $(id -a)" > /tmp/exploited
EOF
zero79@squeezevm:~$ chmod +x source/git/isc-dhcp/debian/tmp/usr/sbin/mv
root@squeezevm:~# /etc/init.d/networking restart
Restarting networking (via systemctl): networking.service.
root@squeezevm:~# ls -hltr /tmp
total 8.0K
-rw-r--r-- 1 root root 966 Oct 14 13:42 samba
-rw-r--r-- 1 root root  65 Oct 14 14:02 exploited
root@squeezevm:~# cat /tmp/exploited 
my script is run as: root uid=0(root) gid=0(root) groups=0(root)

At this point, "zero79" has root access to the system.

Raphael Geissert has resolved this issue in a timely fashion, his
statement follows and his patch is attached:

 The insertion of that path does not appear to be malicious. Rather, it 
 appears to be a mistake in debian/rules as --prefix is set to 
 $(pwd)/debian/tmp/, instead of setting DESTDIR when calling make 
 install. client/Makefile.am defines CLIENT_PATH to 
 "PATH=$(sbindir):/sbin:/bin:/usr/sbin:/usr/bin", which is later injected 
 into the env.

 Due to what appears to be a bug in squeeze's Makefile.am, squeeze is not 
 affected.

 Attached patch fixes the problem.

 Since I've already built the package for wheezy, I'm going to upload it. 

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: armel
i386

Kernel: Linux 3.5.0 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages isc-dhcp-client depends on:
ii  debianutils      4.3.2
ii  iproute          20120521-3
ii  isc-dhcp-common  4.2.2.dfsg.1-5
ii  libc6            2.13-35

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd  <none>
pn  resolvconf     <none>

-- no debconf information
[CVE-2012-2248.patch (text/x-diff, attachment)]

Marked as fixed in versions isc-dhcp/4.2.2.dfsg.1-5+deb70u2. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Mon, 15 Oct 2012 18:57:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>:
Bug#690532; Package isc-dhcp-client. (Mon, 15 Oct 2012 19:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>. (Mon, 15 Oct 2012 19:06:03 GMT) Full text and rfc822 format available.

Message #12 received at 690532@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 690532@bugs.debian.org, 690532-submitter@bugs.debian.org
Subject: Re: [pkg-dhcp-devel] Bug#690532: CVE-2012-2248: backdoor for user "zero79" due to dhclient’s hook $PATH
Date: Mon, 15 Oct 2012 15:01:54 -0400
control: retitle -1 CVE-2012-2248: build system paths used in -DCLIENT_PATH

On Mon, Oct 15, 2012 at 5:31 AM, Michael Stapelberg wrote:
> All hooks in /etc/dhcp/dhclient-enter-hooks.d, such as "samba" when the
> samba package is installed, are called with a PATH environment variable
> containing this:

Using the term "backdoor" is inappropriate and quite misleading as it
implies malicious activity.  The issue is actually a build system
sanitization issue.

Best wishes,
Mike



Changed Bug title to 'CVE-2012-2248: build system paths used in -DCLIENT_PATH' from 'CVE-2012-2248: backdoor for user "zero79" due to dhclient’s hook $PATH' Request was from Michael Gilbert <mgilbert@debian.org> to 690532-submit@bugs.debian.org. (Mon, 15 Oct 2012 19:06:03 GMT) Full text and rfc822 format available.

Message sent on to Michael Stapelberg <stapelberg@debian.org>:
Bug#690532. (Mon, 15 Oct 2012 19:06:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>:
Bug#690532; Package isc-dhcp-client. (Mon, 15 Oct 2012 19:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>. (Mon, 15 Oct 2012 19:15:07 GMT) Full text and rfc822 format available.

Message #22 received at 690532@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 690532@bugs.debian.org, 690532-submitter@bugs.debian.org
Subject: Re: [pkg-dhcp-devel] Bug#690532: Bug#690532: CVE-2012-2248: backdoor for user "zero79" due to dhclient’s hook $PATH
Date: Mon, 15 Oct 2012 15:13:26 -0400
On Mon, Oct 15, 2012 at 3:01 PM, Michael Gilbert wrote:
> control: retitle -1 CVE-2012-2248: build system paths used in -DCLIENT_PATH
>
> On Mon, Oct 15, 2012 at 5:31 AM, Michael Stapelberg wrote:
>> All hooks in /etc/dhcp/dhclient-enter-hooks.d, such as "samba" when the
>> samba package is installed, are called with a PATH environment variable
>> containing this:
>
> Using the term "backdoor" is inappropriate and quite misleading as it
> implies malicious activity.  The issue is actually a build system
> sanitization issue.

Also, to be fair, the same conclusions can be drawn on different
architectures for paths like /build/buildd-isc-dhcp-*:
https://buildd.debian.org/status/fetch.php?pkg=isc-dhcp&arch=i386&ver=4.2.4-2&stamp=1347600978

Best wishes,
Mike



Message sent on to Michael Stapelberg <stapelberg@debian.org>:
Bug#690532. (Mon, 15 Oct 2012 19:15:09 GMT) Full text and rfc822 format available.

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Mon, 15 Oct 2012 19:21:09 GMT) Full text and rfc822 format available.

Notification sent to Michael Stapelberg <stapelberg@debian.org>:
Bug acknowledged by developer. (Mon, 15 Oct 2012 19:21:09 GMT) Full text and rfc822 format available.

Message #30 received at 690532-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 690532-close@bugs.debian.org
Subject: Bug#690532: fixed in isc-dhcp 4.2.4-3
Date: Mon, 15 Oct 2012 19:17:47 +0000
Source: isc-dhcp
Source-Version: 4.2.4-3

We believe that the bug you reported is fixed in the latest version of
isc-dhcp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 690532@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated isc-dhcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 15 Oct 2012 14:18:07 -0400
Source: isc-dhcp
Binary: isc-dhcp-server isc-dhcp-server-dbg isc-dhcp-server-ldap isc-dhcp-common isc-dhcp-dev isc-dhcp-client isc-dhcp-client-dbg isc-dhcp-client-udeb isc-dhcp-relay isc-dhcp-relay-dbg
Architecture: source amd64
Version: 4.2.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 isc-dhcp-client - ISC DHCP client
 isc-dhcp-client-dbg - ISC DHCP client (debugging symbols)
 isc-dhcp-client-udeb - ISC DHCP Client for debian-installer (udeb)
 isc-dhcp-common - common files used by all the isc-dhcp* packages
 isc-dhcp-dev - API for accessing and modifying the DHCP server and client state
 isc-dhcp-relay - ISC DHCP relay daemon
 isc-dhcp-relay-dbg - DHCP relay daemon (debugging symbols)
 isc-dhcp-server - ISC DHCP server for automatic IP address assignment
 isc-dhcp-server-dbg - ISC DHCP server for automatic IP address assignment (debug)
 isc-dhcp-server-ldap - DHCP server able to use LDAP as backend
Closes: 690532
Changes: 
 isc-dhcp (4.2.4-3) unstable; urgency=high
 .
   * Maintainer security upload.
   * Fix cve-2012-2248: as of 4.2.x the build system prefix now gets included
     in CLIENT_PATH.  This has security implications since the build system's
     source path is now included in dhclient's search PATH on users' systems,
     so sanitize the prefix to not include build system paths (closes: #690532)
     - Patch thanks to Raphael Geissert
Checksums-Sha1: 
 dd065535d499c9e9ff9c22c4c8645d5200acf014 3239 isc-dhcp_4.2.4-3.dsc
 1b11ae90d91d1b65c59926dae213035309c45ffa 91950 isc-dhcp_4.2.4-3.debian.tar.gz
 422bcf0d882b56c7afdcd2c4193adc0b4d055397 937774 isc-dhcp-server_4.2.4-3_amd64.deb
 5b3027bd2750488bdf01ab7494d1df2976a6f549 2547558 isc-dhcp-server-dbg_4.2.4-3_amd64.deb
 3d0ddb681d93174450ef762ba73d1311f74f91a7 885636 isc-dhcp-server-ldap_4.2.4-3_amd64.deb
 fea96cb4567ef34f789cfcccc33e0c827aca92e5 857732 isc-dhcp-common_4.2.4-3_amd64.deb
 a70824986ec76117b5a82dde804a76ff9d43823e 774674 isc-dhcp-dev_4.2.4-3_amd64.deb
 2e3dac8fc77957cc3f24bbbebf5def6da718092c 796518 isc-dhcp-client_4.2.4-3_amd64.deb
 1080a1a6e086a4a9fa36bfce3f1941b85234da18 2223428 isc-dhcp-client-dbg_4.2.4-3_amd64.deb
 7084376324f7caec20b9eb8c2b13239dfae67d39 605080 isc-dhcp-client-udeb_4.2.4-3_amd64.udeb
 ee4a57bf11550fe1df04d19fd313a479da16383e 736786 isc-dhcp-relay_4.2.4-3_amd64.deb
 2394fdf7d5a7493db2c03833ba2c98d729dd5da3 2127622 isc-dhcp-relay-dbg_4.2.4-3_amd64.deb
Checksums-Sha256: 
 ea6f8429215a21a07c501690ff9551d51a298bcecef1783e91fafa34fb6f07e8 3239 isc-dhcp_4.2.4-3.dsc
 1f4124a07f73e5bb69ea6b92052ce01b691ed0040196da14c3b405bb1c282c87 91950 isc-dhcp_4.2.4-3.debian.tar.gz
 02fd5fbe2c1522a90d9efd154079d7d1212426ac1c97221c7d6205119fb9b8d2 937774 isc-dhcp-server_4.2.4-3_amd64.deb
 208b74c32d69c2599893c3884736970c1230c74d08025d2d2a5da7f4ce17a321 2547558 isc-dhcp-server-dbg_4.2.4-3_amd64.deb
 7063b437d8463ef8e72bd242f980c3fa9e148626867c77a9fd586b1b597c8a65 885636 isc-dhcp-server-ldap_4.2.4-3_amd64.deb
 a37c92162482cbf2221d31303abcf758ad2807bd1b3703ba466fbf158ccc2b37 857732 isc-dhcp-common_4.2.4-3_amd64.deb
 b9b3c91a83b4de95b2f5a39c087e8b35e87fbc95ec02c53578374ec92c6929f1 774674 isc-dhcp-dev_4.2.4-3_amd64.deb
 862183a69f707b9b5a18493a4cd36e6caa20a4ec6848890b31aa929fe5cf09bd 796518 isc-dhcp-client_4.2.4-3_amd64.deb
 7a654b58ed6cf833c156de209fc0129b96d1005cc74651d21d01d802ca2be2a0 2223428 isc-dhcp-client-dbg_4.2.4-3_amd64.deb
 df02baced767338af6541fcf25bd5e5c49ebfffe31f82a7770b8bb9772460724 605080 isc-dhcp-client-udeb_4.2.4-3_amd64.udeb
 2c24270751dca5b62bb4fbb74ab89dce2a68c3b2a13be32a32193870dd5c0d6f 736786 isc-dhcp-relay_4.2.4-3_amd64.deb
 af3c920dbb49b06f07004a16d0ce64904c363838fde5ab7fed1cc290edb044c3 2127622 isc-dhcp-relay-dbg_4.2.4-3_amd64.deb
Files: 
 7e845b49204586f0a0f7d4f6ecc05342 3239 net important isc-dhcp_4.2.4-3.dsc
 d43be764c27ec62f703918d3f5754467 91950 net important isc-dhcp_4.2.4-3.debian.tar.gz
 81521d441458d41fcb8231bfcad22d91 937774 net optional isc-dhcp-server_4.2.4-3_amd64.deb
 e2962872494a77e0a47183f36db501c9 2547558 debug extra isc-dhcp-server-dbg_4.2.4-3_amd64.deb
 45a1b2fbea7843997a7741b24120d4a9 885636 net optional isc-dhcp-server-ldap_4.2.4-3_amd64.deb
 a8729d204495d22cd54ef2bd557e9375 857732 net important isc-dhcp-common_4.2.4-3_amd64.deb
 8e78254bbcc9e8b92a12d1fbd60fa2b2 774674 devel optional isc-dhcp-dev_4.2.4-3_amd64.deb
 5d77056fc50c4176564cfce6af915d9f 796518 net important isc-dhcp-client_4.2.4-3_amd64.deb
 aa1512036c71916efd8f70ad2dfc3070 2223428 debug extra isc-dhcp-client-dbg_4.2.4-3_amd64.deb
 0d26beb3de7f4943442d8af448017d9e 605080 debian-installer extra isc-dhcp-client-udeb_4.2.4-3_amd64.udeb
 7d5e7abfb4cfc4304147b7c2a0a22184 736786 net optional isc-dhcp-relay_4.2.4-3_amd64.deb
 ae7a10e81588ac324b3b94ffd4d035fd 2127622 debug extra isc-dhcp-relay-dbg_4.2.4-3_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJQfF4iAAoJELjWss0C1vRzoUIf/25guH00ZQUZhrgO4m4ylBDE
GgO4YOgOILJHY8rDkpdxfERnkq2+lKt8fwxqzSLgAHDBPiamqdrDzfa0ScMr8WAb
4dJ5Zc4IqBmHTzMU3r1h2XQHcgcrmBcezSTFEpestH77puBFHXIXocoK82cbTzKQ
wqZ/z28vmkk6MyWjhsampc4fPRkmwMCn3vPPYBR0Mk13YOWFjBZQAE0pECa18vjk
5IaR6aaRto5QuQBUa3MmIpG9a1y7AzmmsdbZXZgTaaNGWknmJbV07qLeNmWYgKAa
JGl9Q8lCvi/F/D/Vh45GHJrF9EpqSbGNJ74T3M9Qalm7KrtHry+yA3srd18KN9EQ
ICBFvzW1wnlwQz6i5BE+IlOhrjgNN/9fZhF9PtlJ1RLwaxSqpM87KWqrEeNYGN3X
4ffvD3l6ue0OlLCRO1++iz/h8ESV0sMdwNz2QSU+bA2MSq0+38SnQ1NohuPz9J/O
/NSm8vW+LuP35x58F8IF34HtHTj+LcPJ9/i1sS0Qt9GriuWvTGfkHqisW+/AuxhK
xmb3yc3fXBcsluWO+5xVG6IsuE/GrI+XbDMNiFyjSfevJ/wTL9mHLCmfGA63Y440
+clBM/oWyxyprahbC4lcAJ4dvUWAQ6PWt9vseCrT5dhjDTKsFFs+4JVpwOvRNT/Y
yqCsU8rAiLGL/EGcFYHFgkatee1SOJfOHUSb5w3P3+0BQ3NAa1cdAA8hqNO9/WTg
61mvRGLjxL176yHHMU2AjxGucESdN98WlbOsKkqdLbgtKSXro2UICiijZe6J0Izp
wT00WOLGs755vTvQhTJj+QoXQZB082R0AB+5iTFE2rmQfi8kEJEGjPU0WLFXFwSl
cUfHcU8PFpCx2v9kXEfzmZWYShpFWmRy+qbH/B2PAf+iKEK4Spf/U39Npp1goEAm
/H2YgRmX8faN8EsDOfRrYeDEofofFRlqzOF9GWe4KhMZOVvogvUsUA9aP/csg4l9
QeAoUjjCot6xuVHuXsEeVqPMP8AvuwEc0EyQC9t+bk8DeRTcnJIzxQGHgurIJnaX
mAr+oKyzsmuzmLXuh6yUkaE07uHDkmITeLHn5zYtLujLbTGIr3deEwCdJ3PurZcP
hCyknBG625HiL6VfhEWvWCf+dg8bia0HBesCQJ4GhZs3BiFApuUeI7loRYrJLuch
NhCPAIvO7I9X7lYLvp2MwEtSEuE/hSJLTN5bOK3LeqrtmQU/IvxMZ3pomoShfcnH
CCSR8y8j/XYiLwZ2rmCgKmDjBnd+J0xsLqRRcvdZjyY+5Hz9nx4NgPnbe0VDwoyg
6xPcnyLpMLl8PhwfCg2e/qJU1iSkpQJkkq5K76D0xZMQGyDlUnJ2i5B71ABud9M=
=iEB+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 13 Nov 2012 07:26:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:43:35 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.