5958917 2001-01-12 18:08 +0100 /58 rader/ Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-15 18:00 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Florian.Weimer@RUS.UNI-STUTTGART.DE
Mottagare: Bugtraq (import) <14796>
Kommentar till text 5948690 av Simon Cozens <simon@COZENS.NET>
Ärende: Re: Glibc Local Root Exploit
------------------------------------------------------------
From: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <tglmsglmva.fsf@mercury.rus.uni-stuttgart.de>
Simon Cozens <simon@COZENS.NET> writes:
> And a patch. Yeah, it's pretty obvious, but nobody's produced it yet.
Your patch doesn't include the HOSTALIASES fix (which is
security-related as well):
Index: sysdeps/generic/unsecvars.h
===================================================================
RCS file: /cvs/glibc/libc/sysdeps/generic/unsecvars.h,v
retrieving revision 1.1
retrieving revision 1.3
diff -u -d -b -r1.1 -r1.3
--- unsecvars.h 2000/09/26 09:31:25 1.1
+++ unsecvars.h 2001/01/08 17:54:58 1.3
@@ -1,11 +1,12 @@
/* Environment variable to be removed for SUID programs. */
#define UNSECURE_ENVVARS \
"GCONV_PATH", \
+ "HOSTALIASES", \
"LOCALDOMAIN", \
"LOCPATH", \
"MALLOC_TRACE", \
"NLSPATH", \
- "RESOLV_HOST_CONF" \
+ "RESOLV_HOST_CONF", \
"RES_OPTIONS", \
"TMPDIR", \
"TZDIR"
Index: resolv/res_query.c
===================================================================
RCS file: /cvs/glibc/libc/resolv/res_query.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -d -b -r1.15 -r1.16
--- res_query.c 2000/07/19 21:59:47 1.15
+++ res_query.c 2001/01/08 17:55:24 1.16
@@ -371,7 +371,7 @@
if (statp->options & RES_NOALIASES)
return (NULL);
- file = __secure_getenv("HOSTALIASES");
+ file = getenv("HOSTALIASES");
if (file == NULL || (fp = fopen(file, "r")) == NULL)
return (NULL);
setbuf(fp, NULL);
--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
(5958917) ------------------------------------------
5959214 2001-01-13 13:22 +1100 /33 rader/ Andrew Bartlett <abartlet@PCUG.ORG.AU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-15 19:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: abartlet@pcug.org.au
Mottagare: Bugtraq (import) <14805>
Kommentar till text 5949872 av Matt Zimmerman <mdz@CSH.RIT.EDU>
Ärende: Re: Glibc Local Root Exploit
------------------------------------------------------------
Matt Zimmerman wrote:
>
> On Thu, Jan 11, 2001 at 01:42:52AM +0200, Ari Saastamoinen wrote:
>
> > On Wed, 10 Jan 2001, Pedro Margate wrote:
> >
> > > install the ssh binary as suid root by default. This can be disabled
> > > during configuration or after the fact with chmod. I believe that would
> >
> > That exploit can use any suid root program which resolves host names. (For
> > example ping and traceroute) So you cannot fix that glibc explot only by
> > unsetting SUID bit of ssh client.
>
> Or more properly, an suid root program which resolves host names _while still
> holding root privileges_. ping from netkit and traceroute from LBNL do not
> fall into this category. fping from SATAN, however, does.
>
As does OpenSSH, somthing that my patch (attached) fixes. The patch
is for OpenSSH 2.3.0p1. Special thanks to Markus Friedl
(Markus.Friedl@informatik.uni-erlangen.de) for his help/comments on
the patches. Tested on RedHat 7.0.
> --
> - mdz
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature
--
Andrew Bartlett
abartlet@pcug.org.au
(5959214) --------------------------------(Ombruten)
Bilaga (text/plain) i text 5959215
Bilaga (text/plain) i text 5959216
5959215 2001-01-13 13:22 +1100 /29 rader/ Andrew Bartlett <abartlet@PCUG.ORG.AU>
Bilagans filnamn: "ssh.diff"
Importerad: 2001-01-15 19:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: abartlet@pcug.org.au
Mottagare: Bugtraq (import) <14806>
Bilaga (text/plain) till text 5959214
Ärende: Bilaga (ssh.diff) till: Re: Glibc Local Root Exploit
------------------------------------------------------------
--- ssh.orig Sat Jan 13 12:51:42 2001
+++ ssh.c Sat Jan 13 12:52:02 2001
@@ -611,12 +611,10 @@
rsh_connect(host, options.user, &command);
fatal("rsh_connect returned");
}
- /* Restore our superuser privileges. */
- restore_uid();
/*
- * Open a connection to the remote host. This needs root privileges
- * if rhosts_{rsa_}authentication is enabled.
+ * Open a connection to the remote host. This regains
+ * root privilages as required.
*/
ok = ssh_connect(host, &hostaddr, options.port,
@@ -625,6 +623,9 @@
!options.rhosts_rsa_authentication,
original_real_uid,
options.proxy_command);
+
+ /* Restore our superuser privileges. */
+ restore_uid();
/*
* If we successfully made the connection, load the host private key
(5959215) ------------------------------------------
5959216 2001-01-13 13:22 +1100 /67 rader/ Andrew Bartlett <abartlet@PCUG.ORG.AU>
Bilagans filnamn: "sshconnect.diff"
Importerad: 2001-01-15 19:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: abartlet@pcug.org.au
Mottagare: Bugtraq (import) <14807>
Bilaga (text/plain) till text 5959214
Ärende: Bilaga (sshconnect.diff) till: Re: Glibc Local Root Exploit
------------------------------------------------------------
--- sshconnect.orig Sat Jan 13 12:51:49 2001
+++ sshconnect.c Sat Jan 13 12:52:01 2001
@@ -96,6 +96,7 @@
char *argv[10];
/* Child. Permanently give up superuser privileges. */
+ restore_uid();
permanently_set_uid(original_real_uid);
/* Redirect stdin and stdout. */
@@ -155,21 +156,22 @@
*/
if (privileged) {
int p = IPPORT_RESERVED - 1;
+ /* Restore our superuser privileges. */
+ restore_uid();
sock = rresvport_af(&p, family);
+ /* Back to normal user. */
+ temporarily_use_uid(original_real_uid);
if (sock < 0)
error("rresvport: af=%d %.100s", family, strerror(errno));
else
debug("Allocated local port %d.", p);
} else {
/*
- * Just create an ordinary socket on arbitrary port. We use
- * the user's uid to create the socket.
+ * Just create an ordinary socket on arbitrary port.
*/
- temporarily_use_uid(original_real_uid);
sock = socket(family, SOCK_STREAM, 0);
if (sock < 0)
error("socket: %.100s", strerror(errno));
- restore_uid();
}
return sock;
}
@@ -248,11 +250,7 @@
/* Create a socket for connecting. */
sock = ssh_create_socket(original_real_uid,
-#ifdef HAVE_CYGWIN
!anonymous && port < IPPORT_RESERVED,
-#else
- !anonymous && geteuid() == 0 && port < IPPORT_RESERVED,
-#endif
ai->ai_family);
if (sock < 0)
continue;
@@ -261,15 +259,12 @@
* hope that it will help with tcp_wrappers showing
* the remote uid as root.
*/
- temporarily_use_uid(original_real_uid);
if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
/* Successful connection. */
memcpy(hostaddr, ai->ai_addr,
ai->ai_addrlen);
- restore_uid();
break;
} else {
debug("connect: %.100s",
strerror(errno));
- restore_uid();
/*
* Close the failed socket; there appear to
* be some problems when reusing a socket for
(5959216) --------------------------------(Ombruten)
6017681 2001-01-27 05:55 +0300 /111 rader/ Solar Designer <solar@OPENWALL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-29 09:51 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: solar@OPENWALL.COM
Mottagare: Bugtraq (import) <15056>
Kommentar till text 6010146 av Roman Drahtmueller <draht@SUSE.DE>
Ärende: summary of recent glibc bugs (Re: SuSE Security Announcement:
------------------------------------------------------------
shlibs/glibc (SuSE-SA:2001:01))
From: Solar Designer <solar@OPENWALL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010127055525.A20710@openwall.com>
On Fri, Jan 26, 2001 at 03:55:17PM +0100, Roman Drahtmueller wrote:
> The runtime-linker as used in the SuSE distributions ignores the
> content of the critical environment variables if the specified path
> begins with a slash ("/"), or if the library file name is not
s/begins with/contains/
(otherwise "../" attacks would be possible, which isn't the case)
> cached (eg it is contained in a path from /etc/ld.so.conf).
> However, Solar Designer has found out that even preloading glibc-
> native shared libraries can be dangerous: The code in the user-linked
Thanks for crediting me, but this isn't exactly what my contribution
was about.
The fact that preloading "system" libraries can be dangerous was
known before that (discussed a few years ago, including on Bugtraq).
A solution was then introduced to require that the library be "SUID"
for it to be LD_PRELOAD'able into SUID/SGID programs. On a typical
system, there are no such libraries.
My contribution was to point out that an exploit mentioned by Jakub
Jelinek depended on this check not working. (I've also shown a way
to exploit this property with glibc 2.1.x, but that isn't really my
discovery as it was prompted by a ChangeLog entry for an attempt to
fix that.) Ulrich Drepper committed a fix for this preload-non-SUID-
library bug (which turned out to be in the caching you mention in the
advisory) the next day.
(My other contribution was proving that the LD_PROFILE{,_OUTPUT}
handling was indeed a real vulnerability, as suspected by Daniel
Jacobowitz.)
> To eliminate these problems, we provide update packages that completely
> disregard the LD_* variables upon runtime-linking of a binary that has
> an effective uid different from the caller's userid.
I don't see that in SuSE package (libc-2.1.3-190.src.rpm), which seems
to only contain the fixes from the glibc CVS (which are sufficient for
the bugs we're currently aware of).
I sent this summary to vendor-sec (even though most of the bugs were
not discovered by me, this was just to ensure no vendor misses a fix
relevant to versions of glibc they package):
Date: Sat, 13 Jan 2001 03:00:34 +0300
(A few days after the fixes were committed.)
| These are the (instances of) the recently discovered glibc bugs
| (here "2.1" means 2.1 to 2.1.3, and "2.2" means 2.1.9x+):
|
| 1. LD_PRELOAD works for non-SUID libs even when running SUID/SGID.
|
| This affects both glibc 2.1 and 2.2. The proven way to abuse this
| property is via libSegFault (overwrite any file), but even worse
| attacks (providing a root shell directly) are likely to exist.
|
| Fixed in the CVS.
|
| 2. LD_PROFILE uses a file in /var/tmp even when running SUID/SGID.
|
| Both 2.1 and 2.2. The file is unsafely created and later mmap'ed
| for processing. There're memory writes with addresses calculated
| from data in the file, with no bounds checking. Thus, it definitely
| is possible to overwrite files with this, and it might be possible to
| get a root shell via this vulnerability directly.
|
| Fixed in the CVS by moving the profiling files to /var/profile (which
| should only be created if the feature is desired) for the SUID/SGID
| case. /var/tmp is still used for non-SUID/SGID programs if run with
| LD_PROFILE set, which I dislike, but this is only a minor problem.
|
| 3. SEGFAULT_OUTPUT_NAME is trusted even when running SUID/SGID.
|
| Both 2.1 and 2.2. As the library isn't installed SUID by default,
| this is only exploitable due to bug #1.
|
| Not fixed (the access() checks don't count).
|
| 4. MEMUSAGE_OUTPUT is trusted even when running SUID/SGID.
|
| 2.2 only (wasn't a part of glibc 2.1, but could be installed with it
| as well). Similar to the SEGFAULT_OUTPUT_NAME.
|
| 5. RESOLV_HOST_CONF is trusted even when running SUID/SGID.
|
| 2.2 only. Fixed in the CVS.
Date: Sun, 14 Jan 2001 14:44:56 +0300
| BTW, these recent bugs are now also fixed in glibc-2-1-branch, thanks
| to Andreas Jaeger.
The glibc 2.2 RESOLV_HOST_CONF bug which prompted this search for
bugs was reported to Debian by Dale Thatcher but apparently wasn't
kept private. The remaining bugs were discovered and dealt with
within two days following the RESOLV_HOST_CONF bug report. As this
bug got public, vendors were forced to not coordinate the release of
updated glibc packages.
--
/sd
(6017681) ------------------------------------------