Bugzilla – Bug 1170178
AUDIT-FIND: enlightenment: enlightenment_system: ecore_file_app_installed(): can be tricked into returning bogus results
Last modified: 2020-05-22 10:25:12 UTC
+++ This bug was initially created as a clone of Bug #1169238
i) `ecore_file_app_installed()` can be tricked into returning bogus results
Various calls to `ecore_file_app_installed()` are performed in the context of
the setuid-root binary. This function performs a direct check for the
existence of the given filename before checking the directories found in the
PATH environment variable.
Since the CWD is controlled by a potential attacker (see g)), the attacker can
place arbitrary files named like the searched binaries in the CWD. As a
result the `ecore_file_app_installed()` will returns bogus results. I couldn't
find any way to exploit this fact in the context of the setuid-root binary,
I suggest *not* to check the CWD in `ecore_file_app_installed()` installed. If
the CWD should be checked then the PATH environment variable should contain
Fixed upstream: https://phab.enlightenment.org/rEFL56e2e21ae777434d718a262297a1e03cf2f565dc
Well the upstream fix is not exactly what I had in mind. But as the upstream
comment says the actual attack vector is already fixed by setting the CWD in
the setuid-root binary.
Closing as fixed.