Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
reassign 504516 general
thanks
On Tue, Nov 04, 2008 at 08:07:27PM +0200, Milen Rangelov wrote:
> Package: libc6
> Version: 2.7-15
>
> Hello. I just noticed that the libc6 package included into the unstable and
> testing repositories has a misconfiguration that can potentially lead to a
> root compromise by any local user that belongs to 'staff' group (or that is
> able to write in /usr/local/lib somehow).
>
> The problem is in that file:
> /etc/ld.so.conf.d/libc.conf
>
> which contains:
> # libc default configuration
> /usr/local/lib
This is not a misconfiguration, the goal is to be consistent with the
default path and the default include path of gcc.
> And the /usr/local/lib is writable by users in staff group by default.
>
> While that group is intended to users that can compile/install software
> locally and do not need superuser rights, this thing will eventually grant
> them root privs quite easily.
Yes, but nothing new.
> If I am an intruder and got 'staff' group rights I would:
>
> * compile a shared library named like some real one in /lib, declare some
> function which is declared in the real /lib one which executes arbitrary
> code.
> * The library should imitate one that a suidroot binary is linked against
> * wait until the superuser install a new .deb package or updates the system
> (since many .deb packages do a ldconfig in their post-install phase).
> * execute the setuid binary and have my arbitrary code run with superuser
> privileges.
>
> I have described a similar scenario there (sorry, it's not in English, but it
> should be kinda graspable):
>
> http://www . gat3way .
> eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15
>
> (cut the spaces in the URL).
>
Even with etch it was possible to drop a binary in /usr/local/bin and
/usr/local/sbin which will then be used by all users, including root.
No changes here, you have to trust the users from group staff.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aurel32@debian.org | aurelien@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
Reply to: