Summary
A security audit found two vulnerabilities in BCC:
1. BPF C Code Injection (High Severity)
43 Python tools accept CLI arguments (PIDs, TIDs, UIDs, signal numbers) as unvalidated strings and interpolate them directly into BPF C source code via bpf_text.replace(). A local attacker can inject arbitrary C code into kernel BPF programs.
Example:
# Injects C code into the BPF program loaded into the kernel
sudo tcptop.py -p "1234; } malicious(); if (0"
Affected tools: tcptop, tcpconnlat, tcplife, tcpaccept, capable, cpudist, statsnoop, filelife, filegone, compactsnoop, vfsstat, ext4dist, shmsnoop, sofdsnoop, numasched, klockstat, opensnoop, drsnoop, tcpconnect, bindsnoop, nfsslower, xfsslower, zfsslower, ext4slower, btrfsslower, f2fsslower, execsnoop, killsnoop, ttysnoop, and 14 tools in tools/old/.
2. World-Writable Directory Permissions (Medium Severity)
src/cc/bpf_module.cc creates /var/tmp/bcc/ and subdirectories with mode 0777. A local attacker can plant symlinks to overwrite arbitrary root-owned files when BCC writes cached program sources.
Proposed Fix
We have a complete fix with tests at: https://github.com/SleuthCo/bcc/pull/2
Changes:
- Add
type=int to all vulnerable argparse arguments (43 tools) so non-numeric input is rejected at parse time
- Add shared validators (
positive_int, positive_nonzero_int, positive_int_list) to bcc.utils
- Change
mkdir() mode from 0777 to 0700
- Add
O_NOFOLLOW to open() calls and check write() return values
- ~80 test cases covering injection payload rejection
SECURITY.md advisory
We would like to submit this as a proper PR once we can fork this repository. In the meantime, the full changeset is available for review at the link above.
Summary
A security audit found two vulnerabilities in BCC:
1. BPF C Code Injection (High Severity)
43 Python tools accept CLI arguments (PIDs, TIDs, UIDs, signal numbers) as unvalidated strings and interpolate them directly into BPF C source code via
bpf_text.replace(). A local attacker can inject arbitrary C code into kernel BPF programs.Example:
Affected tools: tcptop, tcpconnlat, tcplife, tcpaccept, capable, cpudist, statsnoop, filelife, filegone, compactsnoop, vfsstat, ext4dist, shmsnoop, sofdsnoop, numasched, klockstat, opensnoop, drsnoop, tcpconnect, bindsnoop, nfsslower, xfsslower, zfsslower, ext4slower, btrfsslower, f2fsslower, execsnoop, killsnoop, ttysnoop, and 14 tools in
tools/old/.2. World-Writable Directory Permissions (Medium Severity)
src/cc/bpf_module.cccreates/var/tmp/bcc/and subdirectories with mode0777. A local attacker can plant symlinks to overwrite arbitrary root-owned files when BCC writes cached program sources.Proposed Fix
We have a complete fix with tests at: https://github.com/SleuthCo/bcc/pull/2
Changes:
type=intto all vulnerable argparse arguments (43 tools) so non-numeric input is rejected at parse timepositive_int,positive_nonzero_int,positive_int_list) tobcc.utilsmkdir()mode from0777to0700O_NOFOLLOWtoopen()calls and checkwrite()return valuesSECURITY.mdadvisoryWe would like to submit this as a proper PR once we can fork this repository. In the meantime, the full changeset is available for review at the link above.