This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/22625] RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not mounted (CVE-2017-16997)

From: "ldv at sourceware dot org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Sun, 17 Dec 2017 20:23:45 +0000
Subject: [Bug libc/22625] RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not mounted (CVE-2017-16997)
Auto-submitted: auto-generated
References: <bug-22625-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=22625

Dmitry V. Levin <ldv at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ldv at sourceware dot org

--- Comment #2 from Dmitry V. Levin <ldv at sourceware dot org> ---
(In reply to Aurelien Jarno from comment #1)
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH
> tokens and interpret empty tokens as the current directory ("./"). In
> practice the check for empty token is done *after* the dynamic string token
> expansion. The expansion process can return an empty string for the $ORIGIN
> token if __libc_enable_secure is set or if the path of the binary can not be
> determined (/proc not mounted).
> 
> In short it means that the dynamic linker can load libraries (including
> libc.so.6) from the current directory for AT_SECURE and SUID binaries that
> have an RPATH or RUNPATH starting with $ORIGIN.

Yes.

> Libraries with a $ORIGIN RPATH are handled correctly.

Sorry, did you mean "without $ORIGIN"?

> The bug exists since glibc 2.19.
> 
> The test is as simple as:
> - echo 'int main() {}' > test.c
> - gcc test.c -Wl,-rpath,'$ORIGIN' -Wl,-z,origin
> - change the binary to SUID root
> - run it under strace to see it tries to load libc.so.6 from the current
>   directory (try from different paths).

Invoking a SUID executable under strace effectively strips SUID unless strace
itself is SUID, which is unlikely.

Here is a simpler test:
$ ln -snf /dev/null libc.so.6 && rm -rf d && mkdir -m0700 d && cd d && echo
'int main(){}' |gcc -xc - -Wl,-rpath,'$ORIGIN' && chgrp -h another_group a.out
&& chmod 02710 a.out && cd .. && d/a.out
d/a.out: error while loading shared libraries: libc.so.6: file too short

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug libc/22625] New: (CVE-2017-16997)
  - From: aurelien at aurel32 dot net

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]