Comment 0 for bug 2071574

The provd package includes a setuid binary called sprovd that is executable by anyone:

    $ ls -l /usr/libexec/sprovd
    -rwsr-xr-x 1 root provd 2139560 Apr 11 13:48 /usr/libexec/sprovd

There are a few places where this binary executes subprocesses, looking up the executable via $PATH. For example:

    https://github.com/canonical/ubuntu-desktop-provision/blob/d4552766db6e210bd399d199930e2016bac1c7c0/provd/sprovd/sprovd.go#L62-L68

Unfortunately, it doesn't do anything to clean its environment. So the path is controlled by the caller and it can pick which executable gets run with elevated privileges.

The attached exploit script creates a fake "pro" executable that writes it's user/group information to a file.

    $ sh exploit.sh
    $ ls -l /tmp/called-from-sprovd.txt
    -rw-rw-r-- 1 root james 144 Jul 1 09:05 /tmp/called-from-sprovd.txt
    $ cat /tmp/called-from-sprovd.txt
    uid=0(root) gid=1000(james) groups=1000(james),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),121(lpadmin),132(lxd),133(sambashare),136(libvirt)

This shows that my executable was called as root and could do anything else that root can do.