oss-sec mailing list archives

virtualbox: CVE-2021-25319: missing sticky bit in openSUSE packaging for /etc/box allows local root exploit for members of vboxusers group

From: Matthias Gerstner <mgerstner () suse de>
Date: Mon, 26 Apr 2021 15:41:17 +0200

Hi,

somewhat related to CVE-2021-2264 I noticed an openSUSE specific
security issue in the openSUSE packaging for virtualbox [1]. To enable
the autostart feature in virtualbox as outlined in the upstream manual
[2] our packagers introduced a group 'vboxusers' that is granted write
access to the directory /etc/vbox as the "autostart DB". Contrary to
what the manual says the directory was not packaged with the sticky bit
set, however.

The file /etc/vbox/vbox.cfg is a configuration file for virtualbox. This
file is sourced by other virtualbox bash scripts running as root like
'vboxautostart.sh', 'vboxdrv.sh' and 'vboxweb-service.sh'. Due to the
missing sticky bit any member of the vboxusers group can replace the
/etc/vbox/vbox.cfg file by a manipulated one, allowing for full code
execution in the context of the root user once e.g. the vboxautostart
systemd service runs.

Reproducer:

    root# su -g vboxusers nobody
    nobody$ cd /etc/vbox
    nobody$ cp vbox.cfg vbox.cfg.new
    nobody$ rm -f vbox.cfg
    nobody$ mv vbox.cfg.new vbox.cfg
    nobody$ echo "touch /root/evil" >>vbox.cfg
    
    nobody$ exit
    root# systemctl start vboxautostart.service
    root# ls -lh /root/evil
    -rw-r--r-- 1 root root 0  2. Mär 12:14 /root/evil

I have been looking into other distributions like Arch Linux, Fedora and
also some of the RPMs distributed on www.virtualbox.org. They all
package /etc/vbox as root:root mode 755 and are therefore not affected.

Updates for the openSUSE virtualbox packages are underway [3] that will
fix the packaging error and also move the "autostart DB" directory from
/etc/vbox to /etc/vbox/autostart.d to avoid mixing the autostart related
files with the virtualbox system configuration file in the same
directory.

Cheers

Matthias

[1]: https://build.opensuse.org/package/show/Virtualization/virtualbox
[2]: https://www.virtualbox.org/manual/ch09.html#autostart-linux
[3]: https://bugzilla.suse.com/show_bug.cgi?id=1182918

-- 
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Attachment: signature.asc
Description:

Current thread:

virtualbox: CVE-2021-25319: missing sticky bit in openSUSE packaging for /etc/box allows local root exploit for members of vboxusers group Matthias Gerstner (Apr 26)