lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030702230648.O59447-100000@dekadens.ghettot.org>
Date: Wed, 2 Jul 2003 23:14:36 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...edump.cx>
To: Carlos Villegas <villegas@...h.gatech.edu>
Subject: Re: Red Hat 9: free tickets


On Wed, 2 Jul 2003, Carlos Villegas wrote:

> This way of attack seems useless to me. This is also used on RH 8.0
> systems, and for both 8.0 and 9 systems:
>
> drwx------    4 root     root         4096 Jun 27 08:43 /var/run/sudo
>
> Which means that if the packages are properly built (and will make sure
> that this directory gets this permissions if it existed before the
> rpm is installed), this attack will gain you nothing, since you need
> to be root to exploit it.

You have missed a point.

Please look at any vulnerability archives on the net, there is one to
several insecure file creation reports every week in applications that
either are run as root, or are invoked from boot scripts, or from cron
jobs. In most of those cases, it is possible to create a dangling symlink
and then exploit this problem to create a file in a location the attacker
have chosen, with permissions of the victim (root).

Those vulnerabilities are generally considered a lesser threat, as there
seemed to be no practical method to easily gain root privileges just by
creating a file when no control over its contents can be exercised (again,
most cases). There is less interest in finding and fixing those problems,
and administrators are not that quick about addressing them.

Thanks to pam_timestamp_check[.so] and the way it is used in Red Hat, it
is now possible to gain root in a generic way in those scenarios.

That's all. I could post it along with results of a quick grep and a bunch
of programs that do create files this way, but I believe it would only
confuse the reader. I think it's pam_timestamp_check that should be fixed,
because it makes it needlessly trivial to exploit this vector.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-07-02 23:06 --



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ