Gnu c library dynamic linker $ ORIGIN expansion & amp; nbs

From: http://marc.info /? L = full-disclosure & m = 128739684614072 & w = 2

The gnu c library dynamic linker expands $ ORIGIN in setuid library search path
------------------------------------------------------------------------------

Gruezi, This is CVE-2010-3847.

The dynamic linker (or dynamic loader) is responsible for the runtime linking
Dynamically linked programs. ld. so operates in two security modes, a permissive
Mode that allows a high degree of control over the load operation, and a secure
Mode (libc_enable_secure) intended to prevent users from interfering with
Loading of privileged executables.

$ ORIGIN is an ELF substitution sequence representing the location of
Executable being loaded in the filesystem hierarchy. The intention is to allow
Executables to specify a search path for libraries that is relative to their
Location, to simplify packaging without spamming the standard search paths
Single-use libraries.

Note that despite the confusing naming convention, $ ORIGIN is specified in
DT_RPATH or DT_RUNPATH dynamic tag inside the executable itself, not via
Environment (developers wocould normally use the-rpath ld parameter, or
-Wl,-rpath, $ ORIGIN via the compiler driver ).

The ELF specification suggests that $ ORIGIN be ignored for SUID and SGID
Binaries,

Html # substitution "> http://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution

"For security, the dynamic linker does not allow use of $ ORIGIN substitution
Sequences for set-user and set-group ID programs. For such sequences that
Appear within strings specified by DT_RUNPATH dynamic array entries,
Specific search path containing the $ ORIGIN sequence is ignored (though other
Search paths in the same string are processed). $ ORIGIN sequences within
DT_NEEDED entry or path passed as a parameter to dlopen () are treated
Errors. The same restrictions may be applied to processes that have more
Minimal privileges on systems with installed extended security mechanisms ."

However, glibc ignores this recommendation. The attack the ELF designers were
Likely concerned about is users creating hardlinks to suid executables in
Directories they control and then executing them, thus controlling
Expansion of $ ORIGIN.

It is tough to form a thorough complaint about this glibc behaviour however,
As any developer who believes theyre smart enough to safely create suid
Programs shoshould be smart enough to understand the implications of $ ORIGIN
And hard links on load behaviour. The glibc maintainers are some of
Smartest guys in free software, and well known for having a "no hand-holding"
Stance on various issues, so I suspect they wanted a better argument than this
For modifying the behaviour (I pointed it out a few years ago, but there was
Little interest ).

However, I have now discovered a way to exploit this. The origin expansion
Mechanic is recycled for use in LD_AUDIT support, although an attempt is made
To prevent it from working, it is insufficient.

LD_AUDIT is intended for use with the linker auditing api (see the rtld-audit
Manual), and has the usual restrictions for setuid programs as LD_PRELOAD does.
However, $ ORIGIN expansion is only prevented if it is not used in isolation.

The codepath that triggers this expansion is

_ Dl_init_paths ()-> _ dl_dst_substitute ()-> _ is_dst ()

(In the code below DST is dynamic string token)

Http://sourceware.org/git? P = glibc. git; a = blob; f = elf/dl-load.c; h = a7162eb77de7a538235a4326d0eb9ccb5b244c01; hb = HEAD # l741

741/* Expand DSTs .*/
742 size_t cnt = DL_DST_COUNT (llp, 1 );
743 if (_ builtin_ct (cnt = 0, 1 ))
744 llp_tmp = strdupa (llp );
745 else
746 {
747/* Determine the length of the substituted string .*/
748 size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt );
749
750/* Allocate the necessary memory .*/
751 llp_tmp = (char *) alloca (total + 1 );
752 llp_tmp = _ dl_dst_substitute (l, llp, llp_tmp, 1 );
753}

Http://sourceware.org/git? P = glibc. git; a = blob; f = elf/dl-load.c; h = a7162eb77de7a538235a4326d0eb9ccb5b244c01; hb = HEAD # l245

253 if (_ builtin_ct (* name = $, 0 ))
254 {
255 const char * repl = NULL;
256 size_t len;
257
258 + + name;
259 if (len = is_dst (start, name, "ORIGIN", is_path,
260 INTUSE (_ libc_enable_secure )))! = 0)
261 {
...
267 repl = l-> l_origin;
268}

Http://sourceware.org/git? P = glibc. git; a = blob; f = elf/dl-load.c; h = a7162eb77de7a538235a4326d0eb9ccb5b244c01; hb = HEAD # l171

202 if (_ builtin_exact CT (secure, 0)
203 & (name [len]! = &&(! Is_path | name [len]! = :))
204 | (name! = Start + 1 &&(! Is_path | name [-2]! = :))))
205 return 0;
206
207 return len;
208}

As you can see, $ ORIGIN is only expanded if it is alone and first in the path.
This makes little sense, and does not appear to be useful even if there were
No security impact. This was most likely the result of an attempt to re-use
Existing DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally
Introducing this error.

Perhaps surprisingly, this error is exploitable.

--------------------
Affected Software
------------------------

At least the following versions have been tested

2.12.1, FC13
2.5, RHEL5/CentOS5