oss-sec mailing list archives
xawtv: CVE-2020-13696: v4l-conf setuid-root program allows file existence tests and open(..., O_RDRW) on arbitrary files
From: Matthias Gerstner <mgerstner () suse de>
Date: Thu, 4 Jun 2020 16:09:59 +0200
Hallo, xawtv [1] contains a setuid-root program called `v4l-conf` that is supposed to allow regular users to configure v4l devices. xawtv is pretty old code but it is stilled shipped on some distributions like Debian and openSUSE. Vulnerability Description ========================= While checking the source code of `v4l-conf` I noticed that it allows regular users to perform arbitrary file existence tests and also to perform `open(..., O_RDWR)` and `fstat()` system calls on arbitrary files. The issue is found in the `dev_open()` function which only contains a naive security check: ``` if (strncmp(device, "/dev/", 5)) { fprintf(stderr, "error: %s is not a /dev file\n", device); exit(1); } ``` This check is not safe against relative path components or symlinks in /dev/shm. Example: ``` # in this case the file does not exist user $ v4l-conf -c /dev/../root/.bashrc VT_GETSTATE is not supported: Inappropriate ioctl for device mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown can't open /dev/../root/.bashrc: No such file or directory # in this case the file exists user $ v4l-conf -c /dev/../root/.bash_history VT_GETSTATE is not supported: Inappropriate ioctl for device mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown /dev/../root/.bash_history: wrong device ``` Some devices in /dev might also trigger code paths upon open() in the kernel that are usually not reachable to regular users. Bugfix ====== Upstream added two fixes in their Git repository [2]: - commit 31f31f9cbaee7be806cba38e0ff5431bd44b20a3 - commit 36dc44e68e5886339b4a0fbe3f404fb1a4fd2292 The fix is still incomplete though. It avoids to perform an `open()` on unintended files. But it still allows the file existence test to be performed. Attached is a small patch that fixes also that. Timeline ======== 2020-05-14: I privately reported the finding to mchehab+samsung () kernel org, one of the xawtv maintainers denoted in [3]. 2020-05-14 - 2020-05-29: various discussions with the maintainer about the fix. He published the partial fixes in the Git repository right away. 2020-05-29 I reported to the maintainer that the fix is still incomplete but did not hear back since then. 2020-05-29 I requested and obtained a CVE from Mitre for this issue. [1]: https://www.linuxtv.org/wiki/index.php/Xawtv [2]: https://git.linuxtv.org/xawtv3.git [3]: https://www.linuxtv.org/wiki/index.php/Media_Maintainers#XawTV Cheers Matthias -- Matthias Gerstner <matthias.gerstner () suse de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer
Attachment:
0001-v4l-conf-use-the-same-error-messages-for-stat-and-ty.patch
Description:
Attachment:
signature.asc
Description:
Current thread:
- xawtv: CVE-2020-13696: v4l-conf setuid-root program allows file existence tests and open(..., O_RDRW) on arbitrary files Matthias Gerstner (Jun 04)