uutils coreutils chmod Utility Path Traversal Vulnerability Allowing Root Directory Bypass

A vulnerability exists in the uutils coreutils chmod utility, specifically in version 0.6.0, which allows users to circumvent the --preserve-root safety feature. The issue arises because the implementation only checks if the target path is exactly '/' and fails to canonicalize the path. This flaw enables an attacker or an unintentional user to use path variants like '/../' or symbolic links to perform harmful recursive actions, such as recursively changing permissions to '000' on the entire root filesystem. Such actions can result in a widespread loss of system permissions and potentially cause a complete system failure.

Impact

Exploitation of this vulnerability can lead to a significant loss of permissions across the system, with the potential for a total system breakdown.

Reproduction

The vulnerability can be reproduced by using the chmod command with path variants that bypass the --preserve-root check. For example, using a symbolic link that points to a directory or a path variant that navigates up the directory structure can exploit this vulnerability. Once the path is modified to bypass the root check, destructive recursive operations can be performed.

Remediation

Users can update to uutils coreutils version 0.6.0 or later, where this vulnerability has been addressed.