uutils coreutils chroot Utility NSS Injection Vulnerability Allowing Privilege Escalation

A vulnerability in the chroot utility of uutils coreutils has been identified, specifically when the --userspec option is used. The issue arises because the utility processes user specifications via getpwnam() after entering the chroot environment, but before relinquishing root privileges. On systems using glibc, this can activate the Name Service Switch (NSS) to load shared libraries, such as libnss_*.so.2, from the new root directory. If this directory is writable by an attacker, it becomes possible to inject a malicious NSS module that could execute arbitrary code as root, potentially leading to a complete escape from a container or unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows for arbitrary code execution as root, causing a full container escape or privilege escalation, depending on the context in which it is exploited.

Reproduction

The vulnerability can be reproduced by creating a writable chroot environment and compiling a malicious NSS module that, when loaded, executes code to escape the chroot jail and create a file indicating successful exploitation. This crafted module is then injected by manipulating the NSS configuration to point to the new root directory, where the malicious module is stored.

Remediation

Users are advised to update to the latest version of uutils coreutils, where this vulnerability has been addressed.