GNU bug report logs

#47229 Local privilege escalation via guix-daemon and ‘--keep-failed’

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #28 received at 47229@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47229) by debbugs.gnu.org; 23 Mar 2021 19:00:30 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 15:00:30 2021
Received: from localhost ([127.0.0.1]:33007 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lOmGQ-00071U-I1
	for submit@debbugs.gnu.org; Tue, 23 Mar 2021 15:00:30 -0400
Received: from mail-qk1-f182.google.com ([209.85.222.182]:36743)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nnye@whitebeamsec.com>) id 1lOlbm-0005zu-Gb
 for 47229@debbugs.gnu.org; Tue, 23 Mar 2021 14:18:28 -0400
Received: by mail-qk1-f182.google.com with SMTP id c4so15347973qkg.3
 for <47229@debbugs.gnu.org>; Tue, 23 Mar 2021 11:18:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=whitebeamsec.com; s=google;
 h=references:to:from:organization:subject:message-id:date:user-agent
 :mime-version:in-reply-to:content-language;
 bh=Y9LUfY/800DANE7OF7b2/GwfJWxirD6xrL/HqcZuMb8=;
 b=lrLrv8QU1v6AsI8gFF0ISARvVqmjlPXvuLYOFGvLAY/BAIE8VUPxLEeKTAYtMON3nt
 HMAURVn09cEpbGXZ2dSdxElyN95k6tfoAYHMsTjQDGW5a9zfOd8NltM2FbbjduWglW1M
 4i1JWzUURoE97QR2VBAm0rAsP38XDSnWb6COKWiCuqDSHQ7e3OCu92fnwANvpESZlaS1
 NwcX+xblWKEH2LYWOOZGShm427mO/jBzyChR6z9lqLQrUlJlwwko9UUI/uI6j50sBdcM
 kxyFj41yS36uHvA7X8y40bk7ugDtaPsR0RzT3/hcBYtwF34D32Cs8CPF4IY3UvS6s0gu
 xZeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:references:to:from:organization:subject
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language;
 bh=Y9LUfY/800DANE7OF7b2/GwfJWxirD6xrL/HqcZuMb8=;
 b=U2jadky+Jmr6+/cvcZ+q5C5o5lnAMaZh90KiIGsysMkC0q7C1bakzxTyy770/tiRGg
 bomEz2eQDZIr5YVWujkHVHGzO0qiuEuybcBxldSsvPtP28FlAwYKyufiEKtvs/am2qB6
 P2vXDgNUDsOxjLpPY6D+ul+n1zq1XzDRkbjxPeZkVjh6G+drFTfh0OW9AnQC9mthYpUa
 pVANh/lbfORdApVfH952jqo+DZ5CZeYC44B7PPvH3NZVpFW0m83Qar8U5Sp+z6I5ii1B
 s7/cSRX0UGegBBnu6fxKBHORZGo0CAOrTC3C1OWiVpayo24hzEmYjsFGTDjCNPg7qWWx
 SKZA==
X-Gm-Message-State: AOAM531iiH8fr+pFW3VfDojweT7Sk2ZC5bfAun6pTTmF3o1sRQmCvf6H
 umXG1XZAIkN7GmdIoYeTtx/AJPiy/w89Momi0Ls=
X-Google-Smtp-Source: ABdhPJySEJkVYzuUu019qNtK3lARwkZKUAff4taLD/7eRcy6Tkkzyv1X2+VMVN0D7WhB9QyIgxkX/w==
X-Received: by 2002:a37:a9cf:: with SMTP id s198mr6432295qke.143.1616523500268; 
 Tue, 23 Mar 2021 11:18:20 -0700 (PDT)
Received: from [10.0.2.15] (93-94-240-221.mobileaccess.monzoon.net.
 [93.94.240.221])
 by smtp.gmail.com with ESMTPSA id z5sm13796671qkz.2.2021.03.23.11.18.18
 for <47229@debbugs.gnu.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 23 Mar 2021 11:18:19 -0700 (PDT)
References: <aa062a0d-071c-f015-983e-492cf5cee9d8@whitebeamsec.com>
To: 47229@debbugs.gnu.org
From: Nathan Nye <nnye@whitebeamsec.com>
Organization: WhiteBeam Security, Inc.
Subject: Hardlink mitigation limits
X-Forwarded-Message-Id: <aa062a0d-071c-f015-983e-492cf5cee9d8@whitebeamsec.com>
Message-ID: <8f95179a-5574-98bd-c44e-f5ee74638dc3@whitebeamsec.com>
Date: Tue, 23 Mar 2021 14:18:14 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.8.1
MIME-Version: 1.0
In-Reply-To: <aa062a0d-071c-f015-983e-492cf5cee9d8@whitebeamsec.com>
Content-Type: multipart/alternative;
 boundary="------------56E58B699AC93465FA9C8949"
Content-Language: en-US
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47229
X-Mailman-Approved-At: Tue, 23 Mar 2021 15:00:25 -0400
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
[Message part 1 (text/plain, inline)]
Hello,

I'm sharing here for future reference why protected hardlinks alone did 
not mitigate the recent LPE security advisory, pre-patch:

"The reasons why are lines 2633 and 2637 of nix/libstore/build.cc:

 * https://git.savannah.gnu.org/cgit/guix.git/tree/nix/libstore/build.cc#n2633
 * https://git.savannah.gnu.org/cgit/guix.git/tree/nix/libstore/build.cc#n2637

When a package fails to build and the keep failed flag is set 
(-K/--keep-failed), it runs a recursive chown on the build directory 
(which is writable following guixbuilder01 changing the permissions to 
777). It starts at the top level and chowns downwards.

The first important thing to notice here is that at any point (even 
pre-chown) the build user has been compromised. The build user can write 
a SUID /bin/sh to the build path, and because a normal user can traverse 
into the directory before and during the chown, they can run a SUID 
shell (allowing them to become guixbuilder01 even after the build user 
processes are terminated). Becoming the build user allows multiple paths 
to privilege escalation, but in this scenario we have faster ways of 
becoming root.

Moving on to getting root, we're choosing not to use a hardlink to show 
why it isn't necessary. Instead, we create a directory under the build 
directory with thousands of sequentially named files, the final entry 
being "passwd" or "shadow". Then we terminate the build and watch for 
the first entry to be chowned to our user ID (possibly with the inotify 
API). This way, we have opened a lengthy window of time where it is 
enumerating over a list of file paths in our chosen directory and 
chowning each of them. Now we can execute our TOCTOU race condition 
vulnerability.

At the time of check (TOC), the guix-daemon has a list of file paths to 
chown under what it assumes is a regular directory (because it ran 
S_ISDIR on the directory). But we can swap out the directory from under 
it with a symlink to /etc (most efficiently with renameat2() and using 
the RENAME_EXCHANGE flag to atomically exchange the paths). At the time 
of use (TOU) lchown() only checks if the file /itself/ that is being 
chowned is a symlink, not if the path components are, as can be 
demonstrated with Python:

$ mkdir td;touch td/tf;python3 -c 'import os;os.lchown("/home/example/td/tf", 1000, 4)';ls -lahtrd td td/tf
-rw-rw-r-- 1 example adm       0    Mar 19 19:20 td/tf
drwxrwxr-x 2 example example   4.0K Mar 19 19:20 td
$ rm -rf td
$ mkdir td; ln -s td td2;touch td2/tf;python3 -c 'import os;os.lchown("/home/example/td2/tf", 1000, 4)';ls -lahtrd td2 td2/tf
lrwxrwxrwx 1 example example 2 Mar 19 19:21 td2 -> td
-rw-rw-r-- 1 example adm     0 Mar 19 19:21 td2/tf

So lchown can blindly chown /etc/passwd to our user by following the 
directory symlink and subsequently verifying that passwd itself is not a 
symlink. I hope this explains the TOCTOU race condition and why 
protected hardlinks help (forcing an attacker to get root using this 
race condition), but they are not a solution to the problem (alone)."

- Nathan

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Thu Jan 2 17:50:49 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.