This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug nscd/18278] New: nscd/connections.c race condition via readlink() and /proc/self/exe


https://sourceware.org/bugzilla/show_bug.cgi?id=18278

            Bug ID: 18278
           Summary: nscd/connections.c race condition via readlink() and
                    /proc/self/exe
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
          Assignee: unassigned at sourceware dot org
          Reporter: up201407890 at alunos dot dcc.fc.up.pt
                CC: drepper.fsp at gmail dot com

Hello,

connections.c from nscd is vulnerable to a race condition caused by readlink()
and /proc/self/exe

nscd/connections.c

https://github.com/lattera/glibc/blob/master/nscd/connections.c#L1516#L1521

#ifdef PATH_MAX
  char pathbuf[PATH_MAX];
#else
  char pathbuf[256];
#endif
  /* Try to exec the real nscd program so the process name (as reported
     in /proc/PID/status) will be 'nscd', but fall back to /proc/self/exe
     if readlink or the exec with the result of the readlink call fails.  */
  ssize_t n = readlink ("/proc/self/exe", pathbuf, sizeof (pathbuf) - 1);
  if (n != -1)
    {
      pathbuf[n] = '\0';
      execv (pathbuf, argv);
    }

This code trusts the /proc/self/exe symlink, even though it is possible to
link it anywhere you want.

$ cd /tmp
$ ls -la /proc/self/exe
lrwxrwxrwx 1 saken saken 0 Apr 17 23:24 /proc/self/exe -> /bin/ls
$ ln `which ls` ls
$ ./ls -la /proc/self/exe
lrwxrwxrwx 1 saken saken 0 Apr 17 23:24 /proc/self/exe -> /tmp/ls

An attacker can exploit this issue by creating a hard link pointing to the nscd
binary. The attacker can now execute the nscd binary through the hard link.
At this moment /proc/sef/exe will point to the hard link. Before nscd is
restarted, the attacker can replace the hard link with a different (executable)
file or (symbolic) link. If nscd is restarted, it will use a path name that at
this moment points to a different file, for example a command shell. Note that
nscd must be SUID-root or executed by the root user in order to elevate
privileges.

TL;DR
One should not trust /proc/self/exe

- Federico Bento

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]