This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/22625] RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not mounted (CVE-2017-16997)
- From: "aurelien at aurel32 dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sun, 17 Dec 2017 17:08:57 +0000
- Subject: [Bug libc/22625] RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not mounted (CVE-2017-16997)
- Auto-submitted: auto-generated
- References: <bug-22625-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22625
Aurelien Jarno <aurelien at aurel32 dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|(CVE-2017-16997) |RPATH $ORIGIN replaced by
| |PWD for AT_SECURE/SUID
| |binaries or if /proc is not
| |mounted (CVE-2017-16997)
--- Comment #1 from Aurelien Jarno <aurelien at aurel32 dot net> ---
The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH
tokens and interpret empty tokens as the current directory ("./"). In practice
the check for empty token is done *after* the dynamic string token expansion.
The expansion process can return an empty string for the $ORIGIN token if
__libc_enable_secure is set or if the path of the binary can not be determined
(/proc not mounted).
In short it means that the dynamic linker can load libraries (including
libc.so.6) from the current directory for AT_SECURE and SUID binaries that have
an RPATH or RUNPATH starting with $ORIGIN. Libraries with a $ORIGIN RPATH are
handled correctly. The bug exists since glibc 2.19.
The test is as simple as:
- echo 'int main() {}' > test.c
- gcc test.c -Wl,-rpath,'$ORIGIN' -Wl,-z,origin
- change the binary to SUID root
- run it under strace to see it tries to load libc.so.6 from the current
directory (try from different paths).
Fortunately I haven not found any binary with both SUID bit set and with an
RPATH or RUNPATH containing $ORIGIN on distributions. I checked the full Debian
Stretch archive, and a standard installation of openSUSE and Fedora. The path
specified by $ORIGIN is ignored for SUID binaries despite the bug, that is
probably the reason why such binaries do not exist. Therefore it is only a
theoretical issue.
Note: the /proc part is Debian bug#787227. I found the AT_SECURE/SUID issue
while investigating.
--
You are receiving this mail because:
You are on the CC list for the bug.