Why the CPLUGINS feature is enabled by default AND completely undocumented?

Loading code to my app based on some unknown environment variable
_by_default_ already seems like a vulnerability to me.

I work principally on Windows, where the ability to load code into anything else is very much a feature, though I agree that on Unix, if you have execute but not read permission to a binary, then this mechanism could be exploited to dump the code, but the scope of this is much more limited.

We are still considering whether this feature should remain a default in 4.05.0 or 4.06.0 - note that you can disable it entirely by passing -no-cplugins to configure.

David

2017-06-23 20:18 GMT+05:00 Damien Doligez <Damien.Doligez@inria.fr>:

Dear OCaml users,

We have the pleasure of celebrating the birthday of Alan Turing by

announcing the release of OCaml version 4.04.2.

This minor release fixes the security issue described in

CVE-2017-9772 (included below).

All users should eventually upgrade to 4.04.2 from 4.04.0 and 4.04.1.

Any user who produces setuid programs with OCaml should read the CVE

and upgrade immediately.

It is available as an OPAM switch, or as a source download here:

 https://caml.inria.fr/pub/distrib/ocaml-4.04/

 https://github.com/ocaml/ocaml/archive/4.04.2.tar.gz

Happy hacking,

-- Damien Doligez for the OCaml team.

OCaml 4.04.2 (23 Jun 2017):

---------------------------

### Security fix:

- PR#7557: Local privilege escalation issue with ocaml binaries.

 (Damien Doligez, report by Eric Milliken, review by Xavier Leroy)

--------------------------------------------------------------------

CVE-2017-9772: Privilege escalation in OCaml runtime for SUID executables

The environment variables CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, and

CAML_BYTE_CPLUGINS can be used to auto-load code into any ocamlopt-compiled

executable or any ocamlc-compiled executable in ‘custom runtime mode’.

This can lead to privilege escalation if the executable is marked setuid.

Vulnerable versions: OCaml 4.04.0 and 4.04.1

Workarounds:

  - Upgrade to OCaml 4.04.2 or higher.

or - Compile the OCaml distribution with the "-no-cplugins" configure option.

or - OPAM users can "opam update && opam switch recompile 4.04.1", as

    the repository has had backported patches applied.

Impact: This only affects binaries that have been installed on Unix-like

operating systems (including Linux and macOS) with the setuid bit set.

However, in that situation, any user who execute the program gains all

the privileges of the owner of the executable (meaning that root-owned

setuid executables provide root access).

Fix: OCaml 4.04.2 mitigates this by modifying Sys.getenv and Unix.getenv

to raise an exception if the process has ever had elevated privileges.

The OCaml runtime has also been modified to use this function for

retrieving all of the runtime environment variables which could potentially

cause files to be accessed or modified.  The older behaviour is available

in Sys.unsafe_getenv for applications that require strict compatibility.

Credits: This was originally reported by Eric Milliken on the OCaml Mantis

bug tracker. https://caml.inria.fr/mantis/view.php?id=7557

References: see CVE-2017-9779 for a lesser vulnerability in older versions.

CVSS v2 Vector:

AV:L/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:OF/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:L

CWE ID: 114

--

Caml-list mailing list.  Subscription management and archives:

https://sympa.inria.fr/sympa/arc/caml-list

Beginner's list: http://groups.yahoo.com/group/ocaml_beginners

Bug reports: http://caml.inria.fr/bin/caml-bugs

--
Caml-list mailing list.  Subscription management and archives:
https://sympa.inria.fr/sympa/arc/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs