Force path environmental variable before calling modprobe

[ghost]

This pull request is to resolve the security issue mentioned here:
http://forum.odroid.com/viewtopic.php?f=112&t=19027

Vulnerability

The vulnerability is present in WiringPi's GPIO utility. The vulnerability is present here in this fork, and is exploitable on the Odroid variants of Ubuntu. This vulnerability allows for an attacker to elevate privileges from an unprivileged user to the root user because the gpio utility has setuid enabled and is owned by root.

Proof of concept

Attacking this vulnerability is very simple.

odroid@goldie:/tmp/poc$ echo "whoami" > spi_bcm2708
odroid@goldie:/tmp/poc$ ln -s /bin/sh /tmp/poc/modprobe
odroid@goldie:/tmp/poc$ PATH=/tmp/poc:$PATH /usr/local/bin/gpio load spi
root
/usr/local/bin/gpio: Unable to load spi_bcm2708

Anything written into spi_bcm2708 is executed as a shell script. An attacker could supply /bin/sh into spi_bcm2708 and immediately create a shell environment with the UID as root, which can be used to maintain root access, for instance by modifying the /etc/shadow file.

The vulnerability is that when system calls in the C code are made, in some cases, a fully qualified path is not used. This allows an attacker to set their own PATH variables to force the application to call their own application. One method to resolve this, is to use fully qualified paths, but this can be a problem when the utility is in different locations. The more flexible method (which is used in the pull request), sets the PATH variable before making the call. This overwrites the path variable for that call, allowing for only valid executable directories to be considered.