GHSL-2023-046: Local Privilege Escalation in sccache - CVE-2023-1521

Coordinated Disclosure Timeline

• 2023-03-02: Emailed report to @sylvestre, @Xuanwo, and @drahnr
• 2023-03-02: Received reply from @drahnr
• 2023-03-17: Received email from @drahnr, notifying us that the issue is fixed: https://github.com/mozilla/sccache/pull/1663
• 2023-03-17: Sent email, asking if Mozilla are planning to assign a CVE.
• 2023-03-20: Received reply that CVE-2023-1521 has been assigned.
• 2023-03-21: Quietly fixed in v0.4.0 without any mention in the release notes that there was a vulnerability.

Summary

On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD.

If the server is run as root (which is the default when installing the snap package), this means a user running the sccache client can get root privileges.

Product

sccache

Tested Versions

The v2.2 snap package and a relatively recent commit. (Tested on Ubuntu 22.10.)

Details

Issue: client can run code with local server privileges (GHSL-2023-046)

When the sccache sends a compile request to the server, it includes a copy of the local environment (src/commands.rs:371-376):

let req = Request::Compile(Compile {
    exe: exe.as_ref().to_owned().into(),
    cwd: cwd.as_ref().to_owned().into(),
    args: args.iter().map(|a| a.as_ref().to_owned()).collect(),
    env_vars,   <----- copy of local environment
});

The server executes the compile command with those same environment variables. An attacker can exploit this by setting the LD_PRELOAD environment variable to the absolute path of a malicious shared library. If the server is running as root (which is how it is configured in the snap package) then this enables an unprivileged local user to gain root privileges.

Note that there is already a FIXME comment in the code warning of this risk (src/cmdline.rs:279):

// FIXME: Maybe we should strip out `LD_PRELOAD` always?

To reproduce the vulnerability, first install sccache:

sudo snap install --candidate sccache --classic

Then build run poc.sh from the attached tarball:

./poc.sh

The script creates a root-owned file: /oops_I_shouldnt_be_here

Impact

A regular user on a Linux machine with a system-wide sccache installation running the server as root (such as one installed via the snap package) can gain full administrative access to the machine.

CVE

• CVE-2023-1521

Credit

This issue was discovered and reported by @redsun82 (Paolo Tranquilli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-046 in any communication regarding this issue.