Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Jan 2021 16:07:40 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: libreoffice-online "loolforkit" privileged program local root exploit

Hello list,

libreoffice-online [1] contains a privileged setuid-root like binary
"loolforkit" [2] that carries Linux capability bits for CAP_FOWNER,
CAP_MKNOD and CAP_SYSCHROOT.

Upstream's intention seems to be that this program should only be
accessible to the "loolforkit" user in the system. This precondition is
not fulfilled in the 7.0 release versions of the "loolforkit" program,
however, because a command line switch "--disable-lool-user-checking"
allows to bypass this check. In the upstream repository this was fixed
as a "side effect" of commit d9708437b2 [3].

Any user that is allowed to run this program can obtain root privileges.
In the `globalPreinit()` function the program attempts to load a shared
library under the user specified lotemplate path (parameter
"--lotemplate"). Thus the unprivileged caller can cause arbitrary code
to be executed in the context of the privileged program.

Even with the fix from commit d9708437b2 the "loolforkit" user is
equivalent to root, because it can execute arbitrary code as root using
this attack vector. I think this creates a false sense of security,
because to unaware users it looks like there is user separation in
place. A compromised "loolforkit" user account can easily become root
using the "loolforkit" program, however.

I did not fully review the program source. The large amount of command
line switches the program accepts and the general program philosophy
"it's okay if the right user is calling it" make me suspect that there a
further weaknesses over the '--lotemplate' approach in this program that
might allow to escalate privileges.

I contacted upstream by email on 2020-12-14 and offered coordinated
disclosure of these issues and recommended to thoroughly check the
program's source code for issues. It seems upstream considers this fixed
with commit d9708437b2 and doesn't consider it an issue that the
"loolforkit" user can escalate privileges to root using this program. I
recommended to assign at least a CVE for the combination of the two
issues that allows arbitrary users in the system to become root using
the "loolforkit" binary. Nothing happened so far, however.

Formally libreoffice-online is covered by the "Document Foundation" CNA,
therefore I did not request a CVE for this via the Mitre CVE form. I
will try to contact the CNA directly in this matter.

[1]: https://github.com/LibreOffice/online
[2]: https://github.com/LibreOffice/online/blob/master/kit/ForKit.cpp
[3]: https://github.com/LibreOffice/online/commit/d9708437b2ba2f8c10eeb95c9ce7bd78cc83d244

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.