-
-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vuln: Setuid doesn't sanitize environment variables leading to root exploit #251
Comments
Thanks for the report!
So in your opinion, a correct fix would be to set absolute paths in logkeys-start/kill.sh scripts? |
That would fix this specific instance, but other environment variables may still affect the behavior of the runtime. I mentioned earlier that
I'm not sure who would run musl-based desktop (Alpine maybe?), so one could do, on a musl-based system (untested):
Or even in glibc, I could probably try harder to find more subtle ways to perform an exploit, after kill.sh uses absolute path. I think ideally at any point, if both these conditions are true for a setuid:
it should sanitize all environment and keep only the bare minimums to function. Eg. sudo does this with a Edit: After thinking further the environment should pretty much always be sanitized if it invokes something else. |
Also considering llk & llkk both does |
Apologies for reporting this in public. The button to do so privately isn't enabled.
Invoking processes under setuid, without sanitizing environment variables, is extremely risky. I tried with an exploit by $PATH.
Installing:
And here comes the adversary:
This works because logkeys-kill.sh finds the location of logkeys by the $PATH.
I also tried using $LD_PRELOAD; considering RUID == EUID, the shell invoked by system() is in insecure mode (AT_SECURE is off), but glibc wipes a bunch of env variables for setuids (https://github.com/bminor/glibc/blob/ae612c45efb5e34713859a5facf92368307efb6e/elf/rtld.c#L2689), but musl will not do such hand-holding.
The text was updated successfully, but these errors were encountered: