[Debian-ha-maintainers] Bug#598549: [Linux-ha-dev] Fwd: Bug#598549: cluster-agents: CVE-2010-3389: insecure library loading

Fri Oct 1 16:11:08 UTC 2010

On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote:
> Hi linux-ha-dev,
> 
> I received this through the Debian bug tracker.
> Its not immediately clear to me what an appropriate fix would be.
> 
> ----- Forwarded message from Raphael Geissert <geissert at debian.org> -----
> 
> Date: Thu, 30 Sep 2010 00:36:56 +0000
> From: Raphael Geissert <geissert at debian.org>
> To: submit at bugs.debian.org
> Subject: [Debian-ha-maintainers] Bug#598549: cluster-agents: CVE-2010-3389:
> 	insecure library loading
> Resent-From: Raphael Geissert <geissert at debian.org>
> 
> Package: cluster-agents
> Version: 1:1.0.3-3
> Severity: important
> Tags: security
> User: team at security.debian.org
> Usertags: ldpath
> 
> Hello,
> 
> During a review of the Debian archive, I've found your package to
> contain a script that can be abused by an attacker to execute arbitrary
> code.
>
> The vulnerability is introduced by an insecure change to
> LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
> libraries on a directory other than the standard paths.
> 
> Vulnerable code follows:
> 
> /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 969:
> if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 970:
>   LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
> /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 299:
>   if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
> /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 300:
>     LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
> 
> When there's an empty item on the colon-separated list of
> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
> If the given script is executed from a directory where a potential,
> local, attacker can write files to, there's a chance to exploit this
> bug.

So it is run periodically by root (well, the lrmd, as root).
Even though the cwd of lrmd should be ok, permission wise, in case the
script does cd into somewhere (I don't think it does, now) where someone
with lesser privilege was able to place some evil *.so, the next command
executed by the script may do interesting things.

Ok.

Simply doing
#remove it, if present.
LD_LIBRARY_PATH=${LD_LIBRARY_PATH#"$DIR_EXECUTABLE"}
#remove possible remaining leading :
LD_LIBRARY_PATH=${LD_LIBRARY_PATH#:}
#prepend it
LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH
#remove possible trailing :
LD_LIBRARY_PATH=${LD_LIBRARY_PATH%:}

Would do away with the empty component as well as the if [ `echo | grep` ].

> This vulnerability has been assigned the CVE id CVE-2010-3389. Please make sure
> you mention it when forwarding this report to upstream and when fixing
> this bug (everywhere: upstream and here at Debian.)
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3389
> [1] http://security-tracker.debian.org/tracker/CVE-2010-3389
> 
> Sincerely,
> Raphael Geissert