Hi,
On Fri, Oct 01, 2010 at 06:11:08PM +0200, Lars Ellenberg wrote:
> On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote:
> > Hi linux-ha-dev,
> >
> > I received this through the Debian bug tracker.
> > Its not immediately clear to me what an appropriate fix would be.
> >
> > ----- Forwarded message from Raphael Geissert <geiss...@debian.org> -----
> >
> > Date: Thu, 30 Sep 2010 00:36:56 +0000
> > From: Raphael Geissert <geiss...@debian.org>
> > To: sub...@bugs.debian.org
> > Subject: [Debian-ha-maintainers] Bug#598549: cluster-agents: CVE-2010-3389:
> > insecure library loading
> > Resent-From: Raphael Geissert <geiss...@debian.org>
> >
> > Package: cluster-agents
> > Version: 1:1.0.3-3
> > Severity: important
> > Tags: security
> > User: t...@security.debian.org
> > Usertags: ldpath
> >
> > Hello,
> >
> > During a review of the Debian archive, I've found your package to
> > contain a script that can be abused by an attacker to execute arbitrary
> > code.
> >
> > The vulnerability is introduced by an insecure change to
> > LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
> > libraries on a directory other than the standard paths.
> >
> > Vulnerable code follows:
> >
> > /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 969:
> > if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> > /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 970:
> > LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
> > /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 299:
> > if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> > /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 300:
> > LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
> >
> > When there's an empty item on the colon-separated list of
> > LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
> > If the given script is executed from a directory where a potential,
> > local, attacker can write files to, there's a chance to exploit this
> > bug.
>
> So it is run periodically by root (well, the lrmd, as root).
> Even though the cwd of lrmd should be ok, permission wise, in case the
> script does cd into somewhere (I don't think it does, now) where someone
> with lesser privilege was able to place some evil *.so, the next command
> executed by the script may do interesting things.
I really doubt that, though it looks dangerous, there is a way to
exploit this without root access.
> Ok.
>
> Simply doing
> #remove it, if present.
> LD_LIBRARY_PATH=${LD_LIBRARY_PATH#"$DIR_EXECUTABLE"}
> #remove possible remaining leading :
> LD_LIBRARY_PATH=${LD_LIBRARY_PATH#:}
> #prepend it
> LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH
> #remove possible trailing :
> LD_LIBRARY_PATH=${LD_LIBRARY_PATH%:}
Hmm, this smells like bashisms, are they?
Cheers,
Dejan
> Would do away with the empty component as well as the if [ `echo | grep` ].
>
> > This vulnerability has been assigned the CVE id CVE-2010-3389. Please make
> > sure
> > you mention it when forwarding this report to upstream and when fixing
> > this bug (everywhere: upstream and here at Debian.)
> >
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3389
> > [1] http://security-tracker.debian.org/tracker/CVE-2010-3389
> >
> > Sincerely,
> > Raphael Geissert
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
