checkinstall adds local root exploits to any package with a symlink in it
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| checkinstall (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
I create a tarball using the following script, it's a file, and a symlink to a file.
--8<---
#!/bin/sh
rm -rf usr/bin
mkdir -p usr/bin
echo -e '#!/bin/sh\necho Hi I am `id`' > usr/bin/writable
chmod 755 usr/bin/writable
ln -sf writable usr/bin/vulnerable
tar c usr/bin/writable usr/bin/vulnerable | gzip -c > pkg.tar.gz
--8<---
Then, I make untaring this file the subject of a checkinstall package:
checkinstall \
-d0 \
-y \
-- \
bash -c "gzip -cd pkg.tar.gz| (cd /; tar xv)"
Then I install this package with dpkg and end up with:
lrwxrwxrwx 1 gianni gianni 8 Jan 29 12:50 /usr/bin/vulnerable -> writable
-rwxrwxrwx 1 gianni gianni 31 Jan 29 12:50 /usr/bin/writable
Oh no, world writable binary, when the original was mode 755. Now a user can modify the contents and wait for root to run the command. Hey presto, local privlege execution and arbitrary code execution.
Looks like this is due to some fubar surround preservation of permissions vs symlinks.
| Gianni Tedesco (scara) wrote | #1 |
| summary: |
- checkinstall may add local root exploits to packages with symlinks in - them + checkinstall adds local root exploits to any package with a symlink in + it |
| Seth Arnold (seth-arnold) wrote | #2 |
| information type: | Private Security → Public Security |
| Gianni Tedesco (scara) wrote | #3 |
| Gianni Tedesco (scara) wrote | #4 |
| Gianni Tedesco (scara) wrote | #5 |
| Stephen Gelman (ssgelm) wrote | #6 |
| Seth Arnold (seth-arnold) wrote | #7 |
| Changed in checkinstall (Ubuntu): | |
| status: | New → Confirmed |
A related bug, which I don't want to post separately because it's too close to this.
Is that when the tar creation has the symlink and the target in the opposite order, then checkinstall fails totally (note that the command being run works when NOT being run under checkinstall):
checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
This software is released under the GNU GPL.
*******
**** Debian package creation selected ***
*******
This package will be built according to these values:
0 - Maintainer: [ root@turf ]
1 - Summary: [ Package created with checkinstall 1.6.2 ]
2 - Name: [ vulnerable ]
3 - Version: [ 13.37 ]
4 - Release: [ 2 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ amd64 ]
8 - Source location: [ checkpwn ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ vulnerable ]
12 - Conflicts: [ ]
13 - Replaces: [ ]
Enter a number to change any of them or press ENTER to continue:
Installing with bash -c gzip -cd rev.tar.gz| (cd /; tar xv)...
=======
usr/bin/vulnerable
tar: usr/bin/vulnerable: Cannot change mode to rwxrwxrwx: No such file or directory
usr/bin/writable
tar: Exiting with failure status due to previous errors
**** Installation failed. Aborting package creation.
Cleaning up...OK
Bye.