Fixed
Status Update
No update yet.
Comments
pe...@arm.com
At a first glance, this looks related to, or a variant of, AddressSanitizer (ASan) SUID Executable Privilege Escalation - Metasploit (https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/local/asan_suid_executable_priv_esc ). This was logged as https://github.com/google/sanitizers/issues/1130 although I'm not sure that is in the LLVM project itself.
If this is fundamentally the same undrelying issue then I expect that this can be dealt with a public issue.
If this is fundamentally the same undrelying issue then I expect that this can be dealt with a public issue.
al...@gmail.com
You are right, seems like the same underlying issue to me.
kr...@arm.com
Since this has been a long-standing publicly known issue, there is no need to keep this ticket embargoed.
Also there is no need for the LLVM security group to keep on being involved, hence closing this ticket.
Note that in the past week, 2 PRs have been created that look to be addressinghttps://github.com/google/sanitizers/issues/1130 : https://github.com/llvm/llvm-project/pull/92593 and https://github.com/llvm/llvm-project/pull/92611
Also there is no need for the LLVM security group to keep on being involved, hence closing this ticket.
Note that in the past week, 2 PRs have been created that look to be addressing
Description
Security bug details
When executing a setuid binary no checks are made to prevent writing logs into (unprivileged) user-controlled symbolic links as root. Furthermore, one can control some of the contents of such logs by utilizing log_exe_name=1, for example.
Steps to reproduce:
Compile setuid with asan
echo "int main() { return 0; }" > suid.c
clang -fsanitize=address suid.c -o suid
sudo chown root:root suid
sudo chmod +s suid
Run exploit.sh
A successful exploit will write a file to /etc/sudoers.d/test giving NOPASSWD to all users, so you should now be able to run any command as root.