[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group



Package: libc6
Version: 2.7-15

Hello. I just noticed that the libc6 package included into the unstable and 
testing repositories has a misconfiguration that can potentially lead to a 
root compromise by any local user that belongs to 'staff' group (or that is 
able to write in /usr/local/lib somehow).

The problem is in that file: 
/etc/ld.so.conf.d/libc.conf

which contains:
# libc default configuration
/usr/local/lib

And the /usr/local/lib is writable by users in staff group by default.

While that group is intended to users that can compile/install software 
locally and do not need superuser rights, this thing will eventually grant 
them root privs quite easily.

If I am an intruder and got 'staff' group rights I would:

* compile a shared library named like some real one in /lib, declare some 
function which is declared in the real /lib one which executes arbitrary 
code.
* The library should imitate one that a suidroot binary is linked against
* wait until the superuser install a new .deb package or updates the system 
(since many .deb packages do a ldconfig in their post-install phase).
* execute the setuid binary and have my arbitrary code run with superuser 
privileges.

I have described a similar scenario there (sorry, it's not in English, but it 
should be kinda graspable):

http://www . gat3way . 
eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15

(cut the spaces in the URL).

It actually imitates the libselinux library and exploits the gpasswd to create 
a root-owned, suid setuid() wrapper for /bin/bash.

Hope that helps.



Reply to: