Two glibc vulnerabilities
4 stars based on
Subscriptions are the lifeblood of LWN. If you appreciate this content and would like to see more of it, your subscription will help to ensure that LWN continues to thrive.
Please visit this page to join up and keep LWN on the net. Out of that have come two separate local privilege escalations that exploit an obscure corner the dynamic linker auditing API of glibc, while the exploits themselves use—abuse—some Linux features that many probably aren't aware of. These vulnerabilities and exploits provide good examples of the way that security researchers look at code and systems—a way of looking that more developers would do well to emulate.
The runtime library auditing API is a way for developers to intercept the actions of the dynamic linker to see the steps that it is taking while searching for. There are various events specified in the rtld-audit man page, including searching for an object, opening ld_preload and ld_audit are processed on setuid binary object, binding to a symbol, and so on.
It seems like a useful facility, but one that is likely not in the toolbox of many Linux developers. The problem with allowing user-provided libraries to be used for auditing setuid programs is not anywhere in the auditing API, but is instead inherent in the way the runtime linker processes libraries.
When the library is opened with dlopen to determine whether the auditing callback symbols are present, any library initialization routines must be run. Ld_preload and ld_audit are processed on setuid binary, an exploit is done by finding a vulnerable system library it must be on the trusted path that was not written with setuid execution in mind and thus does not have that bit set in the filesystem.
In his description of the flawOrmandy gives an example of using the libpcprofile. The details will vary depending on the distribution, but most will be vulnerable to the flaw. There is nothing particularly special about libpcprofile.
That way, a library used by a single executable can be located in a program-specific location rather than in the system library directories.
Ormandy doesn't really ld_preload and ld_audit are processed on setuid binary a problem with that: The glibc maintainers are some of the smartest guys in free software, and well known for having a "no hand-holding" stance on various issues, so I suspect they wanted a better argument than this for modifying the behaviour I pointed it out a few years ago, but there was little interest.
But, there are known ways to exploit this kind of situation. Ld_preload and ld_audit are processed on setuid binary is essentially a race condition, but one that can be reliably won by the attacker. He then removes the directory and its contents, and puts a library that has exploit code in its initialization function in the place of the directory. That particular exploit mechanism is fairly modern, using relatively recent Linux kernel features, but there are others.
Ormandy describes several other ways to exploit the flaw, with differing requirements e. While both are local privilege escalations, they very well might be used in conjunction with a web application or other flaw to turn them into a remote root vulnerability.
Both of these vulnerabilities are quite serious for systems that allow untrusted users to log in. Their impact on other systems depends on whether there are other vulnerable, network-facing programs. It's always a bit worrisome to think of how many of these kinds of flaws are still lingering out there. Posted Oct 28, 8: I have to say that I am rather naive in this respect, and don't have much idea about how to search for vulnerabilities in code other than grepping for known dodgy functions I suppose and looking for known ways of misusing them.
What about an article on that subject? Or does anyone knowledgeable feel like doing a guest article on the subject? References for program security.
Posted Oct 28, Look at David A. Or, alternatively, every environment variable X could be renamed. X so the process can get at them if it really wants, but code written without thinking about suid conditions wouldn't be tripped up. It might not have helped here, but many exploits would surely be prevented by using some sort of suid loader, something like sudo, to load binaries which have to run setuid root, rather than marking the binaries themselves.
That way the loader could take care of most the little things you have to think of when playing with suid and the binary would have less things though still enough it could get wrong. For instance, imagine if ping, instead of being setuid, called into dbus to load a helper daemon, and that helper daemon did all the actions which need root in this example, sending pings.
The part controlled by the user would limit itself to the user interface showing one line per packet, doing the average calculations, and so on. This way, the daemon is always run ld_preload and ld_audit are processed on setuid binary a clean environment the one dbus uses to launch daemons. In the ping example, this also has the advantage that it makes it harder to avoid the restrictions on the minimum ping interval by running several ld_preload and ld_audit are processed on setuid binary of ping in parallel no matter how many you run, they will talk to a single daemon, which can limit the ping rate per user or even globally.
Actually a clean environment was the main point of what I suggested above - i. My worry with using dbus for this is that it requires a sizeable piece of infrastructure to be present and running properly in order to start your binary, which is fine for desktop use, but may not be appropriate for all situations.
This looks like PolicyKit. Another setuid killer is setcap: Ld_preload and ld_audit are processed on setuid binary yes why isn't ping installed like this by default? But, yeah, it'd still be better than giving them root, so yeah, why isn't this done if it's possible? Posted Oct 29, Being hacked once a month is progress compared to twice. Posted Oct 29, 7: Actually, ping using D-Bus would be such a change that you would rather have new-secure-dbus-user-ping on one hand and good-old-insecure-root-ping on the other hand.
Embedded and other single user systems can just run everything as root and use the old one. If you are serious about security you really need a good IPC on multi-user systems Posted Oct 31, It's too simple, so you could also solve ld_preload and ld_audit are processed on setuid binary problem by making a static build of ping that can not load any shared library.
In my "non-security guy" perspective that would be enough for most environments. Posted Nov 1, I thought that with ELF there was no such thing as a pure statically linked binary. Am I missing something? Posted Nov 2, 0: Posted Nov 3, Posted Nov 4, 0: Ok, maybe my coffee hasn't kicked in yet. Also, am I correct in thinking that if you keep your untrusted-user-writeable directories on different partitions from your setuid executables, you'll thwart this attack?
By Jake Edge October 27, Two glibc vulnerabilities Posted Oct 28, 8: References for program security Posted Oct 28, Unless the execing process is already running as the specified user. Now, successfully exploitation just gets you the ability to create raw sockets instead of full root But, raw sockets aren't really something you want to give to an untrusted user to play with, either This still lets a user execute a program that will have more privilages than the user with whatever environment the user defines.
It absolutely reduces the attack surface in general, but linker vulnerabilities will remain a serious problem. Removing the setuid bit is a great idea for reducing the impact of bugs in the setuid program itself, though. Getting rid of the setuid bit is a great goal. I was just trying to point out that it does not solve problems ld_preload and ld_audit are processed on setuid binary those recently found in glibc. I just don't want people to think dropping setuid bits is a magic bullet for solving all local privilege escalations.
There are [have been] bigger fish to fry. Otherwise, of course, it would be trivial for anyone to gain their enhanced capabilities Which, while not as bad as gaining root, is still not something you want to make trivially easy to do Which is to say, that Fine Piece Of Software suddenly becomes mandatory on boxen that used to avoid it just fine. Since this is its primary purpose, perhaps some distros don't ship it If those libraries are not available as separate files, in the expected location, name resolution fails.
I haven't seen a glibc 2. Essentially all current Linux systems work this way. Usernames as well as hostnames: Or does it simply open the socket to nscd and lets it load the NSS stuff? Not all NSS functionality goes through nscd even when it's enabled. I forget the details of which do and which don't, though. Two glibc vulnerabilities Posted Oct 29,