Local Privilege Escalation in sccache

Root

Cause

The vulnerability lies in how the sccache client forwards environment variables to the server when submitting a compile request. The client copies the local environment, including the LD_PRELOAD variable, and sends it in the request [2][4]. The server then executes the compile command with those environment variables without sanitization. A FIXME comment in the source code already noted the risk of not stripping LD_PRELOAD [4].

Exploitation

An attacker can exploit this by setting LD_PRELOAD to the path of a malicious shared library. When the sccache client submits a compile request, the server loads the attacker-controlled library, executing arbitrary code with the server's privileges [1][2]. No additional authentication is needed beyond having a local user account on the same machine.

Impact

If the sccache server runs as root (the default when installed via the snap package [2][4]), a local unprivileged user can gain full root privileges by preloading a malicious library. This represents a complete compromise of the affected system, allowing the attacker to execute arbitrary commands or install persistent backdoors.

Mitigation

The vulnerability was fixed in sccache v0.4.0, released on 2023-03-17, where the environment variables are now stripped of LD_PRELOAD before sending to the server [3][4]. Users are strongly advised to update to this version or later. The fix was applied quietly without explicit mention in the release notes at the time [4].