Busybox on musl is affected by CVE-2015-1817
Denys Vlasenko
vda.linux at googlemail.com
Tue Mar 31 19:07:19 UTC 2015
On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <dalias at libc.org> wrote:
> For details on CVE-2015-1817, see:
> http://www.openwall.com/lists/musl/2015/03/30/1
>
> With musl-linked Busybox installed setuid and ping enabled, exploiting
> this issue is trivial.
>
> While CVE-2015-1817 is certainly musl's fault, there are two changes
> to Busybox I'd like to propose that would have prevented it from being
> exploitable:
>
> 1. Having setuid utilities like ping obtain the resource they need (in
> the case of ping, SOCK_RAW) without processing user input at all,
> then fully dropping root (setuid(getuid())) before doing anything.
> This has been standard practice for setuid programs since the 90s
> and it feels bad that busybox is not doing it.
In general this is acceptable, but with this particular case
and CVE, it wouldn't help.
create_icmp_socket(lsa) needs to know of which address family
the socket should be:
if (lsa->u.sa.sa_family == AF_INET6)
sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
else
sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */
This is only known after HOST is parsed.
And CVE is in DNS resolving code :(
> 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
> ping, which allows it to run without root.
This seems to lead to a significantly larger code.
More information about the busybox
mailing list