Bug 1913743 (CVE-2021-20197) - CVE-2021-20197 binutils: race window allows users to own arbitrary files
Summary: CVE-2021-20197 binutils: race window allows users to own arbitrary files
Keywords:
Status: NEW
Alias: CVE-2021-20197
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1913744 1914810 1914811 1914812 1920642 1920643 1921862 1913745 1914813 1914814 1914815 1920639 1920641 1921457 1921459
Blocks: 1913748 1939993
TreeView+ depends on / blocked
 
Reported: 2021-01-07 13:57 UTC by Marian Rehak
Modified: 2021-03-17 12:06 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
There is an open race window when writing output in the following utilities in GNU binutils1: ar, objcopy, strip, and ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2021-01-07 13:57:10 UTC
There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib.
When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.

Reference:

https://sourceware.org/bugzilla/show_bug.cgi?id=26945

Comment 1 Marian Rehak 2021-01-07 13:57:45 UTC
Created binutils tracking bugs for this issue:

Affects: fedora-all [bug 1913744]


Created mingw-binutils tracking bugs for this issue:

Affects: fedora-all [bug 1913745]

Comment 8 Marco Benatto 2021-01-28 18:23:59 UTC
There's an issue with smart_rename() function from the binutils package. When called with a symlink as destination the function is exposed to a race condition which eventually allows an unprivileged attacker gain access to privileged files. Although the flaw existence the impact is reduced as several pre-conditions must be achieved to making the malicious able to reach such result, also the function is not exposed to any API, being used in specific utilities only.

Comment 12 Miloš Prchlík 2021-02-02 08:29:33 UTC
Nick, can you advise me WRT testing of this patch? There seems to be no clear reproducer, and upstream patches don't update any test cases.

Comment 13 Siddhesh Poyarekar 2021-02-02 08:42:16 UTC
There's no reproducer for this as the preconditions make the bug fairly hard to exploit.  I would suggest sanity testing only, i.e.:

1. Making sure that the testsuite runs clean
2. When run as root, ar, strip, objdump, objcopy, etc. should preserve permissions and ownership of existing files
3. When run as non-root too, those utilities should preserve permissions and ownership of existing files.
4. When run as non-root, ar should create files with correct permissions and also not crash.

Test (4) fails for the 3 patches in comment 9 due to the following upstream bugs (regressions from those patches):

https://sourceware.org/bugzilla/show_bug.cgi?id=27270
https://sourceware.org/bugzilla/show_bug.cgi?id=27284

There's a fourth patch under review to fix them:

https://sourceware.org/pipermail/binutils/2021-February/115161.html

Comment 14 Nick Clifton 2021-02-02 10:27:54 UTC
Hi Miloš,

  Given Siddhesh's comments it looks like this BZ is not going to be easy to test.  Sorry about that.

  The only thing that I would add is that given that the theoretical attack involves tricking root into running a binutils tool on a symbolic link to another file, it would be useful to run Siddhesh's check (2) on symbolic links as well as real files.

Cheers
  Nick

Comment 15 Miloš Prchlík 2021-02-02 12:32:46 UTC
Thank you both, I'll need to reserve more time for testing then.


Note You need to log in before you can comment on or make changes to this bug.