Date: Tue, 19 Jan 2021 15:30:39 +0100 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: segv_handler junkcode snippet / openSUSE segv_handler package potential local root exploit Hello list, I stumbled over this old code from samba / "junkcode" . The code demonstrates the idea how to establish a temporary or global segmentation fault handler via an LD_PRELOAD library. This code ended up in an openSUSE package "segv_handler" for a long time e.g. in . I am not aware of any other cases where this code has been released for production use. The documentation suggests to install the library globally via /etc/ld.so.preload. If done this way the code will be used by all programs in the system, including setuid-root programs. The code has various issues: 1) the accompanying "backtrace" script is invoked via the `system()` library call and the command line constructed in line 22 does not escape any special characters. Thus if an executable name (as obtained from /proc/self/exe) contains special characters, then this will have side effects. It should not be a big security issue, because the "root" user should not typically run executables that are named by potential attackers. 2) the "backtrace" script uses a predictable temporary file in "/tmp/gdb.$$". The contents of this file will be used as a command source file to `gdb -x`. Thus if an unprivileged local attacker manages to precreate this file it can try to win a race condition and feed arbitrary commands to the `gdb` invoked potentially by the "root" user. This can allow for a full local root exploit. 3) the "backtrace" script invokes the "cat" and "gdb" commands using non-absolute path names. In the context of a setuid-root binary that does not sanitize the PATH environment variable this would allow an unprivileged user to execute arbitrary commands. 4) the hardcoded directory path for backtraces in /var/log/segv would need to be setup as a sticky-bit directory with mode 1777 to work for all users in the system. Then segv_handler.c line 24 would become subject to possible symlink attacks, however, when the path "/var/log/segv/segv_<exe>.<pid>.out" is created. The openSUSE package in  uses the /tmp/ directory for this purpose and is thus affected. 5) The backtraces created in /var/log/segv will be created with the umask of the process running the segfault handler. If the directory /var/log/segv is world-readable and the created backtrace files are also world readable then this poses an information leak towards other users in the system. Data found in stack variables or pointer values can be used for further attacks. Some of the issues can be mitigated by protection mechanisms. The bash shell by default drops privileges when invoked in a setuid-root context which would mitigate issues 1), 2) and 3) (in fact this means that segv_handler will not work for setuid-root programs at all in this case). The kernel's symlink protection would protect against 4). I contacted the code's author Andrew Tridgell ("Tridge") on 2021-01-07 about these concerns and suggested to remove this example code, document the issues or fix the code. He expressed that he would like to adjust the code but we did not come to a conclusion yet. I could not find any trace that this code or the openSUSE package are in active use anywhere, therefore we will remove this package from openSUSE. I suggest to use the Linux kernel's core_pattern feature instead (see `man 5 core`) or one of the integrated crash handlers like provided by systemd (coredumpctl) or Ubuntu (apport). : https://www.samba.org/ftp/unpacked/junkcode/segv_handler/ : https://build.opensuse.org/package/show/openSUSE:Leap:15.0/segv_handler Cheers Matthias -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.