Vulnerability Report: Path traversal and Code Execution in dlopen via environment variable

[cldrn]

Vulnerability Report: Path traversal and Code Execution in dlopen via environment variable

Affected Project & Line: https://github.com/ArcticaProject/nx-libs/blob/3ef7845746c4ec1ac75825ccebc17168e0400cfa/nx-X11/extras/Mesa_6.4.2/src/glx/x11/dri_glx.c#L199

Summary

Applications using nx-libs may be vulnerable to attacks where a local attacker could execute arbitrary code through a maliciously crafted library, loaded via the dlopen() function. This could potentially lead to privilege escalation.

Details

The application reads unsanitized data from the environment variable. This tainted path is subsequently used directly by dlopen() without sufficient validation, allowing directory traversal and possibly loading external malicious libraries.

The security check currently implemented using [specific security check, e.g., geteuid() == getuid()] does not adequately protect against this vulnerability.

Reproduction Steps

1. Set the affected environment variable to a path containing a maliciously crafted library.
2. Run the application or initiate the specific function that calls dlopen().
3. Observe that the malicious code within the library gets executed.

Impact

Attackers with local access can load and execute arbitrary code in systems using the affected application. This can lead to data corruption, data theft, and potentially complete system compromise depending on the application's privileges.

Recommendation

• Implement thorough input validation for the paths loaded via the environment variables.
• Use a whitelist of allowed paths or directory names to mitigate the risk of arbitrary directory traversal.
• Drop elevated privileges immediately after they are no longer required.
• Regularly audit and review the code to ensure that all paths from which libraries or other external resources are loaded are properly validated.
• Check and compare the real group ID and the effective group ID with getgid() and getegid()

CVSS Score

High 7.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H]

Root Cause Analysis

The root cause of this vulnerability stems from the lack of input validation when reading paths from environment variables and the subsequent insecure use of such paths with the dlopen() function.

Additional References/More information

https://docs.google.com/document/d/1lRE2lc00WAYa-427crBFO1yBzU7fSUmQIanh9W8Rglo/edit?usp=sharing

[uli42]

Thanks for reporting this! We are aware that we are using a rather old mesa version here. But we need to check if this bug really affects NX as we are only using a part of the source code in the final nxagent executable. Do you have an exploit?

[Update: fixed typos]

Paulino Calderon @.***> schrieb am Mo., 18. Sept. 2023, 02:38:

Vulnerability Report: Path traversal and Code Execution in dlopen via environment variable

Affected Project & Line:

https://github.com/ArcticaProject/nx-libs/blob/3ef7845746c4ec1ac75825ccebc17168e0400cfa/nx-X11/extras/Mesa_6.4.2/src/glx/x11/dri_glx.c#L199 Summary

Applications using nx-libs may be vulnerable to attacks where a local attacker could execute arbitrary code through a maliciously crafted library, loaded via the dlopen() function. This could potentially lead to privilege escalation. Details

The application reads unsanitized data from the environment variable. This tainted path is subsequently used directly by dlopen() without sufficient validation, allowing directory traversal and possibly loading external malicious libraries.

The security check currently implemented using [specific security check, e.g., geteuid() == getuid()] does not adequately protect against this vulnerability. Reproduction Steps

1. Set the affected environment variable to a path containing a maliciously crafted library.
2. Run the application or initiate the specific function that calls dlopen().
3. Observe that the malicious code within the library gets executed.

Impact

Attackers with local access can load and execute arbitrary code in systems using the affected application. This can lead to data corruption, data theft, and potentially complete system compromise depending on the application's privileges. Recommendation

• Implement thorough input validation for the paths loaded via the environment variables. • Use a whitelist of allowed paths or directory names to mitigate the risk of arbitrary directory traversal. • Drop elevated privileges immediately after they are no longer required. • Regularly audit and review the code to ensure that all paths from which libraries or other external resources are loaded are properly validated. • Check and compare the real group ID and the effective group ID with getgid() and getegid()

CVSS Score

High 7.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H] Root Cause Analysis

The root cause of this vulnerability stems from the lack of input validation when reading paths from environment variables and the subsequent insecure use of such paths with the dlopen() function. Additional References/More information

https://docs.google.com/document/d/1lRE2lc00WAYa-427crBFO1yBzU7fSUmQIanh9W8Rglo/edit?usp=sharing

— Reply to this email directly, view it on GitHub https://github.com/ArcticaProject/nx-libs/issues/1067, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQHBZDQ3XRVPIWYYHQNO5DX26JWXANCNFSM6AAAAAA4364XSY . You are receiving this because you are subscribed to this thread.Message ID: @.***>