This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
- From: "thoger at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Wed, 12 Jan 2011 14:47:51 +0000
- Subject: [Bug libc/12393] New: ld.so: insecure handling of privileged programs' RPATHs with $ORIGIN
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Summary: ld.so: insecure handling of privileged programs'
RPATHs with $ORIGIN
Product: glibc
Version: 2.12
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: thoger@redhat.com
ld.so currently expands $ORIGIN in privileged programs' RPATH when $ORIGIN is
listed alone (see _dl_dst_count and is_dst):
http://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=41b5ce76;hb=master#l220
A local user can make ld.so load malicious DSO if she has write access to some
directory on the same file system as:
$ ln /path/to/suid
$ LD_PRELOAD=payload ./suid
$ORIGIN is not expanded if it's not the only thing in RPATH, e.g. in cases like
$ORIGIN/../lib, as DL_DST_COUNT() returns 0 and expand_dynamic_string_token()
uses strdup rather than _dl_dst_substitute():
http://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=41b5ce76;hb=master#l322
If some privileged program is built with such RPATH, malicious DSO can be
loaded regardless of the file system boundaries as:
$ mkdir '$ORIGIN' lib
$ ln -s payload lib/lib-required-by-privileged-program.so
$ /path/to/suid
ld.so searches relative to the CWD.
Few possible fixes were proposed recently, such as:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391
http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html
The problem with that approach is that with l_origin == -1,
_dl_dst_substitute() expands "$ORIGIN" to "", which again triggers search
staring from the CWD and can be abused as e.g.:
$ LD_PRELOAD=payload /path/to/suid
First two issues affect multiple glibc versions back, the third one was tested
with Fedora glibc 2.12.2-1 packages.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.