Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
Package: libc6
Version: 2.7-15
Hello. I just noticed that the libc6 package included into the unstable and
testing repositories has a misconfiguration that can potentially lead to a
root compromise by any local user that belongs to 'staff' group (or that is
able to write in /usr/local/lib somehow).
The problem is in that file:
/etc/ld.so.conf.d/libc.conf
which contains:
# libc default configuration
/usr/local/lib
And the /usr/local/lib is writable by users in staff group by default.
While that group is intended to users that can compile/install software
locally and do not need superuser rights, this thing will eventually grant
them root privs quite easily.
If I am an intruder and got 'staff' group rights I would:
* compile a shared library named like some real one in /lib, declare some
function which is declared in the real /lib one which executes arbitrary
code.
* The library should imitate one that a suidroot binary is linked against
* wait until the superuser install a new .deb package or updates the system
(since many .deb packages do a ldconfig in their post-install phase).
* execute the setuid binary and have my arbitrary code run with superuser
privileges.
I have described a similar scenario there (sorry, it's not in English, but it
should be kinda graspable):
http://www . gat3way .
eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15
(cut the spaces in the URL).
It actually imitates the libselinux library and exploits the gpasswd to create
a root-owned, suid setuid() wrapper for /bin/bash.
Hope that helps.
Reply to: