This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nscd/18278] New: nscd/connections.c race condition via readlink() and /proc/self/exe
- From: "up201407890 at alunos dot dcc.fc.up.pt" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 17 Apr 2015 22:32:27 +0000
- Subject: [Bug nscd/18278] New: nscd/connections.c race condition via readlink() and /proc/self/exe
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18278
Bug ID: 18278
Summary: nscd/connections.c race condition via readlink() and
/proc/self/exe
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: nscd
Assignee: unassigned at sourceware dot org
Reporter: up201407890 at alunos dot dcc.fc.up.pt
CC: drepper.fsp at gmail dot com
Hello,
connections.c from nscd is vulnerable to a race condition caused by readlink()
and /proc/self/exe
nscd/connections.c
https://github.com/lattera/glibc/blob/master/nscd/connections.c#L1516#L1521
#ifdef PATH_MAX
char pathbuf[PATH_MAX];
#else
char pathbuf[256];
#endif
/* Try to exec the real nscd program so the process name (as reported
in /proc/PID/status) will be 'nscd', but fall back to /proc/self/exe
if readlink or the exec with the result of the readlink call fails. */
ssize_t n = readlink ("/proc/self/exe", pathbuf, sizeof (pathbuf) - 1);
if (n != -1)
{
pathbuf[n] = '\0';
execv (pathbuf, argv);
}
This code trusts the /proc/self/exe symlink, even though it is possible to
link it anywhere you want.
$ cd /tmp
$ ls -la /proc/self/exe
lrwxrwxrwx 1 saken saken 0 Apr 17 23:24 /proc/self/exe -> /bin/ls
$ ln `which ls` ls
$ ./ls -la /proc/self/exe
lrwxrwxrwx 1 saken saken 0 Apr 17 23:24 /proc/self/exe -> /tmp/ls
An attacker can exploit this issue by creating a hard link pointing to the nscd
binary. The attacker can now execute the nscd binary through the hard link.
At this moment /proc/sef/exe will point to the hard link. Before nscd is
restarted, the attacker can replace the hard link with a different (executable)
file or (symbolic) link. If nscd is restarted, it will use a path name that at
this moment points to a different file, for example a command shell. Note that
nscd must be SUID-root or executed by the root user in order to elevate
privileges.
TL;DR
One should not trust /proc/self/exe
- Federico Bento
--
You are receiving this mail because:
You are on the CC list for the bug.