This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN

From: "thoger at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Wed, 12 Jan 2011 14:47:51 +0000
Subject: [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
Auto-submitted: auto-generated

http://sourceware.org/bugzilla/show_bug.cgi?id=12393

           Summary: ld.so: insecure handling of privileged programs'
                    RPATHs with $ORIGIN
           Product: glibc
           Version: 2.12
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: thoger@redhat.com


ld.so currently expands $ORIGIN in privileged programs' RPATH when $ORIGIN is
listed alone (see _dl_dst_count and is_dst):

http://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=41b5ce76;hb=master#l220

A local user can make ld.so load malicious DSO if she has write access to some
directory on the same file system as:

$ ln /path/to/suid
$ LD_PRELOAD=payload ./suid


$ORIGIN is not expanded if it's not the only thing in RPATH, e.g. in cases like
$ORIGIN/../lib, as DL_DST_COUNT() returns 0 and expand_dynamic_string_token()
uses strdup rather than _dl_dst_substitute():

http://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=41b5ce76;hb=master#l322

If some privileged program is built with such RPATH, malicious DSO can be
loaded regardless of the file system boundaries as:

$ mkdir '$ORIGIN' lib
$ ln -s payload lib/lib-required-by-privileged-program.so
$ /path/to/suid

ld.so searches relative to the CWD.


Few possible fixes were proposed recently, such as:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391
http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html

The problem with that approach is that with l_origin == -1,
_dl_dst_substitute() expands "$ORIGIN" to "", which again triggers search
staring from the CWD and can be abused as e.g.:

$ LD_PRELOAD=payload /path/to/suid


First two issues affect multiple glibc versions back, the third one was tested
with Fedora glibc 2.12.2-1 packages.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]