linux security - May 1998 - Beware of dangerous enviroment (Re: Overflows in minicom)

On Tue, 12 May 1998, Andi Kleen wrote on BUGTRAQ:
> I assumed the libc would ignore NLSPATH when the app runs suid (similar
> like it does with LD_LIBRARY_PATH etc.). If it doesn''t that is a
bad bug.
> 
> [... clickety click ... ]
> 
> At least glibc 2.1 uses __secure_getenv() for NLSPATH. Don''t know
about 2.0,
> separate GNU gettext, or libc5.

I have browsed various versions of libc and found a handful of weak points
where the value of an enviroment variable is trusted more than necessary.

Variable		Impact

NLSPATH			can read arbitrary file
LANGUAGE, LANG, LC_*	dtto (if the value starts with a sufficient
			number of "../")
TZ			dtto (../)
LD_PROFILE_OUTPUT	can overwrite arbitrary file (not verified)


Quite a lot of harm can be caused even with read-only access.
Think of getting read access to /dev/*, esp. /dev/mem and /dev/port 
(welcome to the world of PC hardware <g>), /proc/kmsg or /proc/*/fd/*.


Affected versions chart

Ver./Var.     NLSPATH   LANGUAGE, LANG, LC_*    TZ    LD_PROFILE_OUTPUT

libc 5.4.44	yes		yes(0)		yes		no
glibc 2.0.7	no(1)		yes		no(2)		no
glibc pre2.1	no(1)		yes		no(2)		yes(3)
(snapshot 980301)
Solaris 2.5(4)	yes		no		yes		maybe
(with 103187-35)

(0) not LANGUAGE because libc5 has not gettext built in
(1) __secure_getenv()
(2) supressed in __tzfile_read() when __libc_secure_enable is on
(3) not verified
(4) just curious (private Q: does anyone know how one should report
    such problems to Sun?)


Example of "exploitation"

$ mkfifo /tmp/LC_MESSAGES
$ LANG=../../../../tmp xterm &
$ ps l
 FLAGS   UID   PID  PPID PRI  NI   SIZE   RSS WCHAN       STA TTY TIME
COMMAND
   100   555 17293 17291  14   0   1200   804 wait4       S   p2  0:00 -bash 
100000   555 17347 17293  10   0   2384  1208 fifo_open   S   p2  0:00 xterm
100000   555 17348 17293  17   0    920   500             R   p2  0:00 ps l

Apparently, xterm attempted to open /tmp/LC_MESSAGES.
(Oh yes, xterm is setuid and owned by root.)


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]

Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> writes:
> Affected versions chart
> 
> Ver./Var.     NLSPATH   LANGUAGE, LANG, LC_*    TZ    LD_PROFILE_OUTPUT
> 
> libc 5.4.44	yes		yes(0)		yes		no
> glibc 2.0.7	no(1)		yes		no(2)		no
> glibc pre2.1	no(1)		yes		no(2)		yes(3)
> (snapshot 980301)
The bugs in glibc 2.1 can be fixed by the appended patch.  They apply
easily for glibc 2.0 as well (patch isn''t helpful, though).  The
patches are not tested very well but they worked for my example setup.

Thanks,

-- Uli
---------------.      drepper at gnu.org  ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------''   \  Sunnyvale, CA 94089 USA
Cygnus Solutions `--'' drepper at cygnus.com   `------------------------