uutils Coreutils cp Utility Privilege Escalation Vulnerability via Improper Setuid/Setgid Handling

A vulnerability exists in the cp utility of uutils coreutils, where it improperly manages setuid and setgid bits when ownership preservation fails. When the -p (preserve) flag is used, cp can retain original mode bits, including privileged bits, even if the chown operation fails. This behavior can lead to the creation of user-owned files with elevated privileges, allowing the execution of unauthorized actions or access to restricted resources, in violation of local security policies. This issue contrasts with GNU cp, which correctly removes these bits when ownership cannot be preserved.

Impact

Exploitation of this vulnerability can result in the unauthorized retention of setuid or setgid bits on copied files, creating user-owned executables with elevated privileges that could be misused, potentially leading to privilege escalation.

Reproduction

To reproduce this vulnerability, first create a root-owned setuid executable file. Then, as an unprivileged user, copy this file using the cp command with the -p option. After the copy operation, check the permissions of the copied file. The uutils coreutils version of cp will have retained the setuid bits, while the GNU version would not have.

Remediation

Users can update to the latest version of uutils coreutils, where this issue has been addressed.