Force path environmental variable before calling modprobe #2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request is to resolve the security issue mentioned here:
http://forum.odroid.com/viewtopic.php?f=112&t=19027
Vulnerability
The vulnerability is present in WiringPi's GPIO utility. The vulnerability is present here in this fork, and is exploitable on the Odroid variants of Ubuntu. This vulnerability allows for an attacker to elevate privileges from an unprivileged user to the root user because the
gpio
utility has setuid enabled and is owned by root.Proof of concept
Attacking this vulnerability is very simple.
Anything written into spi_bcm2708 is executed as a shell script. An attacker could supply /bin/sh into spi_bcm2708 and immediately create a shell environment with the UID as root, which can be used to maintain root access, for instance by modifying the /etc/shadow file.
The vulnerability is that when
system
calls in the C code are made, in some cases, a fully qualified path is not used. This allows an attacker to set their own PATH variables to force the application to call their own application. One method to resolve this, is to use fully qualified paths, but this can be a problem when the utility is in different locations. The more flexible method (which is used in the pull request), sets the PATH variable before making the call. This overwrites the path variable for that call, allowing for only valid executable directories to be considered.