Security issue in garglk/launcher.sh
Sylvain Beucler
The gargoyle shell launcher currently does this:
abspath=`readlink -f $0` # get the full path of this script
dirpath=`dirname $abspath` # get directory part
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$dirpath
If LD_LIBRARY_PATH is not previously defined, it will become something like:
:/path/to/gargoyle
That is, it contains 2 paths:
- an empty path
- /path/to/gargoyle
The empty path means "current directory".
Consequently, if I share access to a computer with another user, I can
use a trick to gain access to his account:
- install a modified version of libgarglk.so (a version that, for
example, starts a keyboard sniffer in the background) in a directory
I control, say /home/me/super-cool-if/
- ask the user to run a super cool Interactive Fiction in that
directory
- the naive user will:
cd /home/me/super-cool-if/
~/bin/launcher.sh if.z8
In that case, gargoyle will be told to look for 'libgarglk.so' in the
current directory, that is, the one where I put the nasty version.
Now I just have to wait for him to type passwords.
Consequently, the code should be hardened this way:
if [ -z "$LD_LIBRARY_PATH" ]; then
# Don't add an empty path (== current directory) to
# LD_LIBRARY_PATH, this would allow a user to trick another
# user into running gargoyle in a directory with a cracked
# libgarglk.so, and gain access to his/her account.
export LD_LIBRARY_PATH=$dirpath
else
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$dirpath
fi
--
Sylvain
Ben Cressey
Consequently, the code should be hardened this way:
if [ -z "$LD_LIBRARY_PATH" ]; then
# Don't add an empty path (== current directory) to
# LD_LIBRARY_PATH, this would allow a user to trick another
# user into running gargoyle in a directory with a cracked
# libgarglk.so, and gain access to his/her account.
export LD_LIBRARY_PATH=$dirpath
else
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$dirpath
fi