sprovd binary enables local privilege escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
provd (Ubuntu) |
Fix Released
|
High
|
Matthew Hagemann | ||
Noble |
Fix Released
|
High
|
Matthew Hagemann |
Bug Description
The provd 0.1.2 package includes a setuid binary called sprovd that is executable by anyone:
$ ls -l /usr/libexec/sprovd
-rwsr-xr-x 1 root provd 2139560 Apr 11 13:48 /usr/libexec/sprovd
There are a few places where this binary executes subprocesses, looking up the executable via $PATH. For example:
Unfortunately, it doesn't do anything to clean its environment. So the path is controlled by the caller and it can pick which executable gets run with elevated privileges.
The attached exploit script creates a fake "pro" executable that writes it's user/group information to a file.
$ sh exploit.sh
$ ls -l /tmp/called-
-rw-rw-r-- 1 root james 144 Jul 1 09:05 /tmp/called-
$ cat /tmp/called-
uid=0(root) gid=1000(james) groups=
This shows that my executable was called as root and could do anything else that root can do.
CVE References
Changed in provd (Ubuntu): | |
importance: | Undecided → High |
status: | New → Fix Committed |
Changed in provd (Ubuntu Noble): | |
assignee: | nobody → Matthew Hagemann (matt-hagemann) |
importance: | Undecided → High |
status: | New → In Progress |
information type: | Private Security → Public Security |
The simplest mitigation for this would be to remove the world execute bit, so sprovd can only be run by members of the provd group. From what I can tell, this would work in the gnome-initial-setup user environment it is run in. The bug would still be present, but couldn't be exercised by regular users.
It'd be better to get rid of the need for a setuid binary all together though. A D-Bus system daemon using polkit auth might be a better approach, since the unprivileged caller won't be able to control the execution environment of the privileged helper.