public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug nscd/18278] New: nscd/connections.c race condition via readlink() and /proc/self/exe
@ 2015-04-17 22:32 up201407890 at alunos dot dcc.fc.up.pt
2015-04-20 7:35 ` [Bug nscd/18278] " fweimer at redhat dot com
0 siblings, 1 reply; 2+ messages in thread
From: up201407890 at alunos dot dcc.fc.up.pt @ 2015-04-17 22:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18278
Bug ID: 18278
Summary: nscd/connections.c race condition via readlink() and
/proc/self/exe
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: nscd
Assignee: unassigned at sourceware dot org
Reporter: up201407890 at alunos dot dcc.fc.up.pt
CC: drepper.fsp at gmail dot com
Hello,
connections.c from nscd is vulnerable to a race condition caused by readlink()
and /proc/self/exe
nscd/connections.c
https://github.com/lattera/glibc/blob/master/nscd/connections.c#L1516#L1521
#ifdef PATH_MAX
char pathbuf[PATH_MAX];
#else
char pathbuf[256];
#endif
/* Try to exec the real nscd program so the process name (as reported
in /proc/PID/status) will be 'nscd', but fall back to /proc/self/exe
if readlink or the exec with the result of the readlink call fails. */
ssize_t n = readlink ("/proc/self/exe", pathbuf, sizeof (pathbuf) - 1);
if (n != -1)
{
pathbuf[n] = '\0';
execv (pathbuf, argv);
}
This code trusts the /proc/self/exe symlink, even though it is possible to
link it anywhere you want.
$ cd /tmp
$ ls -la /proc/self/exe
lrwxrwxrwx 1 saken saken 0 Apr 17 23:24 /proc/self/exe -> /bin/ls
$ ln `which ls` ls
$ ./ls -la /proc/self/exe
lrwxrwxrwx 1 saken saken 0 Apr 17 23:24 /proc/self/exe -> /tmp/ls
An attacker can exploit this issue by creating a hard link pointing to the nscd
binary. The attacker can now execute the nscd binary through the hard link.
At this moment /proc/sef/exe will point to the hard link. Before nscd is
restarted, the attacker can replace the hard link with a different (executable)
file or (symbolic) link. If nscd is restarted, it will use a path name that at
this moment points to a different file, for example a command shell. Note that
nscd must be SUID-root or executed by the root user in order to elevate
privileges.
TL;DR
One should not trust /proc/self/exe
- Federico Bento
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug nscd/18278] nscd/connections.c race condition via readlink() and /proc/self/exe
2015-04-17 22:32 [Bug nscd/18278] New: nscd/connections.c race condition via readlink() and /proc/self/exe up201407890 at alunos dot dcc.fc.up.pt
@ 2015-04-20 7:35 ` fweimer at redhat dot com
0 siblings, 0 replies; 2+ messages in thread
From: fweimer at redhat dot com @ 2015-04-20 7:35 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18278
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
nscd is not an SUID/SGID binary, so there is no security issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-04-20 7:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-17 22:32 [Bug nscd/18278] New: nscd/connections.c race condition via readlink() and /proc/self/exe up201407890 at alunos dot dcc.fc.up.pt
2015-04-20 7:35 ` [Bug nscd/18278] " fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).