The Tech-giant has successfully launched an open-source PathAuditor tool for developers that will guide them in detecting files, accesses, and logs potential vulnerabilities by auditing libc functions.
PathAuditor is a shared library that can be loaded into processes using LD-PRELOAD, thereafter attaches itself to all file access related libc functions and verifies if the access is secure.
“The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec.”
The aforementioned statement by Google Security Blog indicated the presence of vulnerabilities in the system calls associated with file and directory paths.
The Google blog post also mentioned that
“we traverse the path and check if any component could be replaced by an unprivileged user, for example if a directory is user-writable. If we detect such a pattern, we log it to syslog for manual analysis.”
It also states that the attacker can create a path substitute through a symlink attack, where an attacker creates a temporary folder from the user server directory to root server directory and tries to execute malicious commands and access sensitive files with root-level privileges. The Google PathAuditor provides automatic analysis that detects such unusual path patterns and provides as much as information for further investigations. Thus, saves time and effort for manual analysis.
The PathAuditor has been proven to be successful at Google and they are happy to share it with the community. The source code is available at Github – PathAuditor, along with an example explaining the vulnerability as well.
Google concluded the release post mentioning
“The project is still in the early stages and we are actively working on it. We look forward to hearing about any vulnerabilities you discover with the tool, and hope to see pull requests with further improvements.”
Contact LIFARS Immediately if Your Organization was Hit with a Data Breach
