oss-sec mailing list archives
libreoffice-online "loolforkit" privileged program local root exploit
From: Matthias Gerstner <mgerstner () suse de>
Date: Mon, 18 Jan 2021 16:07:40 +0100
Hello list, libreoffice-online [1] contains a privileged setuid-root like binary "loolforkit" [2] that carries Linux capability bits for CAP_FOWNER, CAP_MKNOD and CAP_SYSCHROOT. Upstream's intention seems to be that this program should only be accessible to the "loolforkit" user in the system. This precondition is not fulfilled in the 7.0 release versions of the "loolforkit" program, however, because a command line switch "--disable-lool-user-checking" allows to bypass this check. In the upstream repository this was fixed as a "side effect" of commit d9708437b2 [3]. Any user that is allowed to run this program can obtain root privileges. In the `globalPreinit()` function the program attempts to load a shared library under the user specified lotemplate path (parameter "--lotemplate"). Thus the unprivileged caller can cause arbitrary code to be executed in the context of the privileged program. Even with the fix from commit d9708437b2 the "loolforkit" user is equivalent to root, because it can execute arbitrary code as root using this attack vector. I think this creates a false sense of security, because to unaware users it looks like there is user separation in place. A compromised "loolforkit" user account can easily become root using the "loolforkit" program, however. I did not fully review the program source. The large amount of command line switches the program accepts and the general program philosophy "it's okay if the right user is calling it" make me suspect that there a further weaknesses over the '--lotemplate' approach in this program that might allow to escalate privileges. I contacted upstream by email on 2020-12-14 and offered coordinated disclosure of these issues and recommended to thoroughly check the program's source code for issues. It seems upstream considers this fixed with commit d9708437b2 and doesn't consider it an issue that the "loolforkit" user can escalate privileges to root using this program. I recommended to assign at least a CVE for the combination of the two issues that allows arbitrary users in the system to become root using the "loolforkit" binary. Nothing happened so far, however. Formally libreoffice-online is covered by the "Document Foundation" CNA, therefore I did not request a CVE for this via the Mitre CVE form. I will try to contact the CNA directly in this matter. [1]: https://github.com/LibreOffice/online [2]: https://github.com/LibreOffice/online/blob/master/kit/ForKit.cpp [3]: https://github.com/LibreOffice/online/commit/d9708437b2ba2f8c10eeb95c9ce7bd78cc83d244 Cheers Matthias -- Matthias Gerstner <matthias.gerstner () suse de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Felix Imendörffer
Attachment:
signature.asc
Description:
Current thread:
- libreoffice-online "loolforkit" privileged program local root exploit Matthias Gerstner (Jan 18)
- Re: libreoffice-online "loolforkit" privileged program local root exploit Matthias Gerstner (Jan 21)