Full Report
After Qualys posted a sudo vulnerability that shook the world a while ago, the author of the post was wondering what other setuid binaries installed have vulnerabilities. They specifically decided to look into how environmental variables for programs were being used. They tried this ENV being set with all of the setuid binaries on their system. To test for environment variables, they added preloaded a library that simply logged all requests to getenv(). After going through a bunch of dead ends, the variable INPUTRC appeared. This is used for a configuration file. They set the environment variable to /etc/shadow, hoping that something interesting could be leaked. While running chfn, the output of the program indicated that it was read! However, nothing useful was outputted. The author decided to search through the source code to finding something interesting. Within the readline library was where this environment variable was doing its damage. While parsing through the configuration file, it will output the errors and badly parsed data. So, what gets outputted in the errors? Can we trick it to output something useful? A line that begins with a quotation mark without a closing mark will get outputted. Additionally, a line that starts with a colon with no whitespace. Finally, and the most useful, a line without a space, tab or colon will output the entire line! SSH keys match this pattern, since its base64 encoded data. What's the punch line? Don't use readline in setuid binaries. The binary could simply just clear this ENV variable as well. To me, the blame on the bug is hard to put. Is it reasonable for the maintainers of chfn to know this quirk? Additionally, is it reasonable for readline to output this errors? To me, the blame isn't on any of these devs. Overall, great article that is concise, well-written and has many good jokes. setuid bugs aren't dead!
Analysis Summary
# Vulnerability: Readline Configuration Parsing in SUID Binaries (Information Leakage)
## CVE Details
- CVE ID: CVE-2022-0563
- CVSS Score: Not explicitly stated in the text, but the impact suggests a moderate to high score (Information Leakage/Potential for Local Privilege Escalation).
- CWE: CWE-20 (Improper Input Validation) or CWE-1176 (Exposure of Sensitive Information to an Unauthorized Actor).
## Affected Systems
- Products: `chfn` utility (part of `util-linux`).
- Versions: Introduced in `util-linux` version 2.30-rc1. Patched in versions including 2.37.4.
- Configurations: Any system where a SUID binary (specifically `chfn` from `util-linux`) utilizes the GNU Readline library and respects the `INPUTRC` environment variable.
## Vulnerability Description
The vulnerability resides within the GNU Readline library when used by SUID binaries like `chfn`. When the `INPUTRC` environment variable points to a configuration file (e.g., an SSH private key file like `id_rsa`), Readline attempts to parse this file for keybinding configurations.
During parsing, if a line in the target file matches specific patterns (e.g., a line without spaces, tabs, or colons), Readline outputs the content of that line verbatim as an error message (via `_rl_init_file_error`). Since SSH private keys (Base64 encoded data) fit the pattern of a line without spaces, tabs, or colons, the contents of the key are leaked in the program's standard error output when `chfn` is executed with the malicious `INPUTRC` set.
## Exploitation
- Status: PoC available (demonstrated using `INPUTRC=/root/.ssh/id_rsa chfn`).
- Complexity: Low complexity if the attacker has local access and knows the potential location of a target file readable by the SUID process (e.g., the root user's SSH key).
- Attack Vector: Local.
## Impact
- Confidentiality: High (Sensitive data, such as SSH private keys, can be leaked if the file is readable by the SUID process).
- Integrity: Low (No direct modification ability demonstrated).
- Availability: Low (Minimal impact, perhaps minor denial of service if a large file is processed, causing excessive output).
## Remediation
### Patches
- The vulnerability was fixed in `util-linux` by removing support for Readline/the `INPUTRC` variable from affected utilities like `chfn`.
- **Action:** Upgrade `util-linux` to a patched version (e.g., 2.37.4 or later).
- Commit fixing the issue: `faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17`
### Workarounds
1. **Environment Variable Scrubbing:** Ensure that SUID binaries clear the unsafe `INPUTRC` environment variable before initialization routines that might interact with Readline are called.
2. **Avoid Readline in SUID:** Maintainers of SUID binaries should avoid linking to or using the Readline library when processing user-controlled configuration files or environment variables.
## Detection
- Indicators of Compromise: Unusual output printed to stderr when running common SUID binaries like `chfn`, containing messages starting with "readline: [filename]: line X: [data]".
- Detection methods and tools: Monitoring execution of SUID binaries for abnormal standard error output, or auditing processes that use the `INPUTRC` environment variable.
## References
- Vendor advisories: Red Hat Bugzilla: Bug 2053151.
- Relevant links - defanged:
- `https://blog.trailofbits.com/2023/02/16/readline-crime-exploiting-a-suid-logic-bug/`
- `https://www.cvedetails.com/cve/CVE-2022-0563/`