exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ELF_RPATH.txt

ELF_RPATH.txt
Posted Jan 29, 2004
Authored by Matthias Andree

Some dynamically linked binary builds of the CVSup package contain untrusted paths in the ELF RPATH fields of the executables which may allow for local privilege escalation.

tags | advisory, local
SHA-256 | b8782bca72a905590f6df6d37502a533b73ad0fe9fb35cea32cce7475f90ab88

ELF_RPATH.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MA-SA-2004:02.ELF_RPATH

Topic: Unsecure ELF RPATH allows user privilege escalation

Announcement: MA-SA-2004-02
Writer: Matthias Andree
Version: 1.0
Announced: 2004-01-29
Type: local escalation of privileges
Impact: vulnerability enables one user to run a process under
some other users's account credentials
Danger: medium to high (depends on packager)
- privilege escalation possible,
program reads libraries from world-writable path (SuSE RPM)
or non-root writable path (Anthon van der Neut's RPM)

Affects: - cvsup-16.1h-2.i386.rpm by Anthon van der Neut
- cvsup-16.1h-43.i586.rpm by SUSE LINUX AG
(this list does not claim to be complete)

Not affected: - cvsup-16.1h-90.i586.rpm by SUSE LINUX AG
- cvsup-16.1h FreeBSD 4 package
- all statically linked builds such as
cvsup-16.1d-LINUXLIBC6.tar.gz on FreeBSD mirrors
(this list does not claim to be complete)

0. Release history

2004-01-21 0.1 first draft
2004-01-29 1.0 first release, updated vendor contact

1. Background

CVSup is a "software package for distributing and updating collections
of files across a network. It can efficiently and accurately mirror all
types of files, including sources, binaries, hard links, symbolic links,
and even device nodes." (quoting John D. Polstra, http://www.cvsup.org/)

CVSup appears a registered trademark of John D. Polstra.

This announcement deals with third-party RPM packages for SuSE Linux,
neither with statically linked CVSup packages nor the CVSup software
itself.

2. Problem description

Some dynamically linked binary builds of the CVSup package contain
untrusted paths in the ELF RPATH fields of the executables, paths found
include /home/anthon and /usr/src/packages (may be world writable on
SuSE systems depending on the PERMISSIONS_SECURITY setting in
/etc/sysconfig/security: easy is vulnerable in any case).

3. Impact

Anyone with write access to one of the RPATH listed directories can
potentially make cvsup or cvsupd link against a manipulated library at
run time and hence execute his own code with the privileges of the user
running the cvsup, cvsupd or cvpasswd programs.

4. Checking for vulnerability

On ELF systems, "objdump -p /usr/bin/cvsup | grep RPATH" or
"readelf -d /usr/bin/cvsup | grep RPATH" can be used to print the
run-time library search path of an ELF object (executable or library).

The result is either missing/empty or a colon-separated list of
directories. All directories listed here and their parents up to the
root of the file system should only be writable by the privileged user
and nobody else.

5. Solution

On SuSE Linux 9.0 and 8.2 for i386 architecture, replace the cvsup RPM
by the SuSE Linux 9.0 upgrade RPM, cvsup-16.1h-90.i586.rpm. Solutions
for other machines is unknown.

Ask your vendor if and only if you are entitled to security support.

6. Future

The CVSup and Modula-3 configurations that were used to build the
vulnerable cvsup packages should be checked carefully to identify which
component leaked the RPATH into the executable.

Automated package build systems for any distribution should check the
ELF RPATH of all generated ELF objects before bundling the package and
refuse to package of untrusted run-time library path components are
found, for a reasonable definition of "trusted". (see appendix B)

A. References

SuSE security information: http://www.suse.de/en/security/
CVSup home page: http://www.cvsup.org/

B. Vendor contacts (UTC dates) and actions, as far as known

2004-01-11 contacted SuSE Security and John D. Polstra
2004-01-11 John D. Polstra removes link to Anthon van der Neut's
packages from the CVSup FAQ
2004-01-12 Thomas Biege of SuSE assures "fix ASAP"
2004-01-19 SuSE release bugfixed RPM for SuSE Linux 9.0
2004-01-21 contacted Anthon van der Neut by mail
2004-01-26 no mail response, but reached Anthon van der Neut by telephone
he added a note that the package is vulnerable, and added a
link to the SuSE package, but he links to the outdated version
2004-01-29 SuSE Security Announcement SuSE-SA:2004:004 mentions the
cvsup fix and announces that the SuSE build system will
be checking the RPATH.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAGRXovmGDOQUufZURAjNxAJ4x4epjbaN2o9zdRL27K/OIZ9D94QCgi/1N
laOl0Ep5KLsUrtungqziLZA=
=yPOA
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close