Package: isc-dhcp-client Version: 4.2.2.dfsg.1-5 Severity: critical Tags: security patch
While debugging another issue, Mithrandir, mbiebl and I stumbled upon the following: All hooks in /etc/dhcp/dhclient-enter-hooks.d, such as "samba" when the samba package is installed, are called with a PATH environment variable containing this: PATH=/home/zero79/source/git/isc-dhcp/debian/tmp/usr/sbin:/sbin:/bin:/usr/sbin:/usr/bin Since hooks (at least "samba") can call arbitrary commands and are running as uid 0 (root), this poses a security issue when the following assumptions are true: 1. The system you want to exploit has samba installed (or any other package which comes with a dhclient-enter-hook). 2. The attacker has the possibility of obtaining the username "zero79" and thus can create executable files in /home/zero79/source/git/isc-dhcp/debian/tmp/usr/sbin 3. The DHCP hook needs to be called to trigger the exploit, which happens at least on system start or after /etc/init.d/networking restart, possibly also when just renewing the dhcp-lease (unverified). Here is a demonstration of this issue: zero79@squeezevm:~$ id -a uid=1001(zero79) gid=1001(zero79) groups=1001(zero79) zero79@squeezevm:~$ mkdir -p source/git/isc-dhcp/debian/tmp/usr/sbin zero79@squeezevm:~$ cat >source/git/isc-dhcp/debian/tmp/usr/sbin/mv <<'EOF' #!/bin/sh echo "my script is run as: $(whoami) $(id -a)" > /tmp/exploited EOF zero79@squeezevm:~$ chmod +x source/git/isc-dhcp/debian/tmp/usr/sbin/mv root@squeezevm:~# /etc/init.d/networking restart Restarting networking (via systemctl): networking.service. root@squeezevm:~# ls -hltr /tmp total 8.0K -rw-r--r-- 1 root root 966 Oct 14 13:42 samba -rw-r--r-- 1 root root 65 Oct 14 14:02 exploited root@squeezevm:~# cat /tmp/exploited my script is run as: root uid=0(root) gid=0(root) groups=0(root) At this point, "zero79" has root access to the system. Raphael Geissert has resolved this issue in a timely fashion, his statement follows and his patch is attached: The insertion of that path does not appear to be malicious. Rather, it appears to be a mistake in debian/rules as --prefix is set to $(pwd)/debian/tmp/, instead of setting DESTDIR when calling make install. client/Makefile.am defines CLIENT_PATH to "PATH=$(sbindir):/sbin:/bin:/usr/sbin:/usr/bin", which is later injected into the env. Due to what appears to be a bug in squeeze's Makefile.am, squeeze is not affected. Attached patch fixes the problem. Since I've already built the package for wheezy, I'm going to upload it. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: armel i386 Kernel: Linux 3.5.0 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages isc-dhcp-client depends on: ii debianutils 4.3.2 ii iproute 20120521-3 ii isc-dhcp-common 4.2.2.dfsg.1-5 ii libc6 2.13-35 isc-dhcp-client recommends no packages. Versions of packages isc-dhcp-client suggests: pn avahi-autoipd <none> pn resolvconf <none> -- no debconf information
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/rules isc-dhcp-4.2.2.dfsg.1/debian/rules --- isc-dhcp-4.2.2.dfsg.1/debian/rules 2012-09-17 16:48:31.000000000 -0500 +++ isc-dhcp-4.2.2.dfsg.1/debian/rules 2012-10-14 15:12:29.000000000 -0500 @@ -39,8 +39,8 @@ dh_testdir ./configure \ - --prefix=$(DESTDIR)/usr \ - --sysconfdir=$(DESTDIR)/etc/dhcp \ + --prefix=/usr \ + --sysconfdir=/etc/dhcp \ --with-srv-lease-file=/var/lib/dhcp/dhcpd.leases \ --with-srv6-lease-file=/var/lib/dhcp/dhcpd6.leases \ --with-cli-lease-file=/var/lib/dhcp/dhclient.leases \ @@ -67,8 +67,8 @@ dh_testdir ./configure \ - --prefix=$(DESTDIR)/usr \ - --sysconfdir=$(DESTDIR)/etc/dhcp \ + --prefix=/usr \ + --sysconfdir=/etc/dhcp \ --with-srv-lease-file=/var/lib/dhcp/dhcpd.leases \ --with-srv6-lease-file=/var/lib/dhcp/dhcpd6.leases \ --with-cli-lease-file=/var/lib/dhcp/dhclient.leases \ @@ -99,7 +99,7 @@ dh_installdirs -A # Add here commands to install the package into debian/tmp. - $(MAKE) install + $(MAKE) install DESTDIR=$(DESTDIR) mkdir -p $(DESTDIR)/etc/dhcp
