Package: libc6 Version: 2.7-15 Hello. I just noticed that the libc6 package included into the unstable and testing repositories has a misconfiguration that can potentially lead to a root compromise by any local user that belongs to 'staff' group (or that is able to write in /usr/local/lib somehow).
The problem is in that file: /etc/ld.so.conf.d/libc.conf which contains: # libc default configuration /usr/local/lib And the /usr/local/lib is writable by users in staff group by default. While that group is intended to users that can compile/install software locally and do not need superuser rights, this thing will eventually grant them root privs quite easily. If I am an intruder and got 'staff' group rights I would: * compile a shared library named like some real one in /lib, declare some function which is declared in the real /lib one which executes arbitrary code. * The library should imitate one that a suidroot binary is linked against * wait until the superuser install a new .deb package or updates the system (since many .deb packages do a ldconfig in their post-install phase). * execute the setuid binary and have my arbitrary code run with superuser privileges. I have described a similar scenario there (sorry, it's not in English, but it should be kinda graspable): http://www . gat3way . eu/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=6&cntnt01returnid=15 (cut the spaces in the URL). It actually imitates the libselinux library and exploits the gpasswd to create a root-owned, suid setuid() wrapper for /bin/bash. Hope that helps. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
