glb-director CLI argument overflow allows local privilege escalation #178
Description
Summary
All shipping glb-director command-line frontends copy user-supplied --config-file and --forwarding-table arguments into 256-byte globals with strcpy. Supplying any path longer than 255 bytes overflows into adjacent globals and downstream state before initialization completes.
These binaries are typically launched by systemd as root; a local adversary who can influence the service arguments (via drop-in overrides, env files, or direct invocation) can weaponize the overflow into arbitrary code execution with root privileges.
The same pattern exists in glb-director/cli/pcap_mode.c, so even the tooling builds are affected.
==312704==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000405a40 at pc 0x7fea2967ddc4 bp 0x7ffd73af3d40 sp 0x7ffd73af3500
WRITE of size 601 at 0x000000405a40 thread T0
#0 0x7fea2967ddc3 in strcpy.part.0 (/lib64/libasan.so.8+0x7ddc3) (BuildId: 10b8ccd49f75c21babf1d7abe51bb63589d8471f)
#1 0x000000401025 in get_options src/glb-director/shared_opt.c:55
#2 0x000000401469 in main /dev/shm/glb-director/better_poc_shared_opt.c:37
#3 0x7fea29411574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#4 0x7fea29411627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#5 0x000000400564 in _start (/dev/shm/glb-director/better_poc_shared_opt+0x400564) (BuildId: 1cc6c01eeb35f7a4a6f2803511098ff557c1b46f)
0x000000405a40 is located 0 bytes after global variable 'config_file' defined in 'better_poc_shared_opt.c:18:17' (0x000000405940) of size 256
0x000000405a40 is located 32 bytes before global variable 'forwarding_table' defined in 'better_poc_shared_opt.c:19:17' (0x000000405a60) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow src/glb-director/shared_opt.c:55 in get_options
The same overflow occurs in the production binary: if glb-director is invoked with a 600-character --config-file argument, it segfaults before initialization, confirming the flaw.
Impact
Privilege Escalation: Typical deployments run glb-director under root; exploiting this bug gives a low-privilege user full root execution on the host.
Service Disruption: Even accidental long arguments crash the load balancer immediately, taking traffic handling offline.
Regulatory/Safety Risk: Because the health-checker automatically rebuilds forwarding tables via CLI tooling, any automation that ingests user-controlled paths is a potential chokepoint for compromise.
Remediation
Check lengths before copying, or switch to bounded copies everywhere the CLI consumes paths. One minimal example for shared_opt.c:
/* shared_opt.c */
case 'c':
if (strlcpy(config_file, optarg, 256) >= 256) {
glb_log_error("%s: --config-file path too long", argv[0]);
glb_log_error_and_exit("aborting due to oversized argument");
}
break;
case 't':
if (strlcpy(forwarding_table, optarg, 256) >= 256) {
glb_log_error("%s: --forwarding-table path too long", argv[0]);
glb_log_error_and_exit("aborting due to oversized argument");
}
break;
Apply the same bounds checking (or safer snprintf) to the copies in cli/pcap_mode.c (config_file, forwarding_table, pcap_filename, packet_filename).
Note
HackerOne triage said Thanks for the submission! We have reviewed your report and determined that it does not present a security risk. and closed my report so public disclosure it is.