Page MenuHomePhabricator

enlightenment_system: ecore_file_app_installed(): can be tricked into returning bogus results
Closed, ResolvedPublic

Description

i) ecore_file_app_installed() can be tricked into returning bogus results

Various calls to ecore_file_app_installed() are performed in the context of
the setuid-root binary. This function performs a direct check for the
existence of the given filename before checking the directories found in the
PATH environment variable.

Since the CWD is controlled by a potential attacker (see g)), the attacker can
place arbitrary files named like the searched binaries in the CWD. As a
result the ecore_file_app_installed() will returns bogus results. I couldn't
find any way to exploit this fact in the context of the setuid-root binary,
however.

I suggest *not* to check the CWD in ecore_file_app_installed() installed. If
the CWD should be checked then the PATH environment variable should contain
"." instead.

http://bugzilla.suse.com/show_bug.cgi?id=1170178

simotek created this task.Apr 22 2020, 4:10 AM
simotek triaged this task as High priority.

hmmm the "check file as given" is intended to handle full paths like /usr/local/bin/xxx or ./bin/xxx or ../bvin/xx and so if a full/relative path is given it is ... installed (if it can be executed). so i guess i should check to see if its a full apth to avoid false positives in ecore_file ... :)

since i changed CWD already this here should be addressed with d42605f5c095c6cef3e18703b42264566616380b and the ecore_file thing does need to allow full and relative paths to be correct.

indeed it manually sets a restricted PATH so it can;'t be exploited other than to have it not actually function.