Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group

To: Milen Rangelov <gat3way@gat3way.eu>, 504516@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed, 5 Nov 2008 07:50:02 +0100
Message-id: <[🔎] 20081105065002.GA9706@hall.aurel32.net>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>, 504516@bugs.debian.org
In-reply-to: <[🔎] 200811042007.27111.gat3way@gat3way.eu>
References: <[🔎] 200811042007.27111.gat3way@gat3way.eu>

reassign 504516 general
thanks

On Tue, Nov 04, 2008 at 08:07:27PM +0200, Milen Rangelov wrote:
> Package: libc6
> Version: 2.7-15
> 
> Hello. I just noticed that the libc6 package included into the unstable and 
> testing repositories has a misconfiguration that can potentially lead to a 
> root compromise by any local user that belongs to 'staff' group (or that is 
> able to write in /usr/local/lib somehow).
> 
> The problem is in that file: 
> /etc/ld.so.conf.d/libc.conf
> 
> which contains:
> # libc default configuration
> /usr/local/lib

This is not a misconfiguration, the goal is to be consistent with the
default path and the default include path of gcc.

> And the /usr/local/lib is writable by users in staff group by default.
> 
> While that group is intended to users that can compile/install software 
> locally and do not need superuser rights, this thing will eventually grant 
> them root privs quite easily.

Yes, but nothing new.

> If I am an intruder and got 'staff' group rights I would:
> 
> * compile a shared library named like some real one in /lib, declare some 
> function which is declared in the real /lib one which executes arbitrary 
> code.
> * The library should imitate one that a suidroot binary is linked against
> * wait until the superuser install a new .deb package or updates the system 
> (since many .deb packages do a ldconfig in their post-install phase).
> * execute the setuid binary and have my arbitrary code run with superuser 
> privileges.
> 
> I have described a similar scenario there (sorry, it's not in English, but it 
> should be kinda graspable):
> 
> http://www . gat3way . 
> eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15
> 
> (cut the spaces in the URL).
> 

Even with etch it was possible to drop a binary in /usr/local/bin and
/usr/local/sbin which will then be used by all users, including root.
No changes here, you have to trust the users from group staff.

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net

Reply to:

Follow-Ups:
- Processed: Re: Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
  - From: Milen Rangelov <gat3way@gat3way.eu>

Prev by Date: Bug#504545: Updated Kurdish translation
Next by Date: Processed: Re: Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
Previous by thread: Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
Next by thread: Processed: Re: Bug#504516: libc6 package allows for a potential root compromise to users in 'staff' group
Index(es):
- Date
- Thread