checkinstall adds local root exploits to any package with a symlink in it
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | checkinstall (Ubuntu) |
Undecided
|
Unassigned | ||
Bug Description
I create a tarball using the following script, it's a file, and a symlink to a file.
--8<---
#!/bin/sh
rm -rf usr/bin
mkdir -p usr/bin
echo -e '#!/bin/sh\necho Hi I am `id`' > usr/bin/writable
chmod 755 usr/bin/writable
ln -sf writable usr/bin/vulnerable
tar c usr/bin/writable usr/bin/vulnerable | gzip -c > pkg.tar.gz
--8<---
Then, I make untaring this file the subject of a checkinstall package:
checkinstall \
-d0 \
-y \
-- \
bash -c "gzip -cd pkg.tar.gz| (cd /; tar xv)"
Then I install this package with dpkg and end up with:
lrwxrwxrwx 1 gianni gianni 8 Jan 29 12:50 /usr/bin/vulnerable -> writable
-rwxrwxrwx 1 gianni gianni 31 Jan 29 12:50 /usr/bin/writable
Oh no, world writable binary, when the original was mode 755. Now a user can modify the contents and wait for root to run the command. Hey presto, local privlege execution and arbitrary code execution.
Looks like this is due to some fubar surround preservation of permissions vs symlinks.
| Gianni Tedesco (scara) wrote : | #1 |
| summary: |
- checkinstall may add local root exploits to packages with symlinks in - them + checkinstall adds local root exploits to any package with a symlink in + it |
| Seth Arnold (seth-arnold) wrote : | #2 |
Hello, nice writeup and reproducer; have you reported these issues upstream yet?
Thanks
| information type: | Private Security → Public Security |
| Gianni Tedesco (scara) wrote : | #3 |
Ah no, the upstream link I found on launchpad was dead but I think I know what to do with it now.
| Gianni Tedesco (scara) wrote : | #4 |
Welp, their bugtracker is dead and I wasn't sure about how appropriate the mailing list would be
| Gianni Tedesco (scara) wrote : | #5 |
Sent an email to the maintainer
| Stephen Gelman (ssgelm) wrote : | #6 |
Hi!
I am the Debian maintainer of checkinstall. As you have noticed the upstream appears to be pretty dead. I've tried to contact the original author about the bug tracker being down and have never received a reply. I will see what I can do to fix the security issues you reported in the Debian package which will then be pulled into Ubuntu.
Thanks,
Stephen
| Seth Arnold (seth-arnold) wrote : | #7 |
Hello Stephen, pity the original authors have moved on, but I can understand. Thanks for giving this a look.
Thanks
| Changed in checkinstall (Ubuntu): | |
| status: | New → Confirmed |
A related bug, which I don't want to post separately because it's too close to this.
Is that when the tar creation has the symlink and the target in the opposite order, then checkinstall fails totally (note that the command being run works when NOT being run under checkinstall):
checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
This software is released under the GNU GPL.
*******
**** Debian package creation selected ***
*******
This package will be built according to these values:
0 - Maintainer: [ root@turf ]
1 - Summary: [ Package created with checkinstall 1.6.2 ]
2 - Name: [ vulnerable ]
3 - Version: [ 13.37 ]
4 - Release: [ 2 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ amd64 ]
8 - Source location: [ checkpwn ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ vulnerable ]
12 - Conflicts: [ ]
13 - Replaces: [ ]
Enter a number to change any of them or press ENTER to continue:
Installing with bash -c gzip -cd rev.tar.gz| (cd /; tar xv)...
=======
usr/bin/vulnerable
tar: usr/bin/vulnerable: Cannot change mode to rwxrwxrwx: No such file or directory
usr/bin/writable
tar: Exiting with failure status due to previous errors
**** Installation failed. Aborting package creation.
Cleaning up...OK
Bye.