lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <211d13631003291012n362a063fk8a2f54c89fb6b149@mail.gmail.com>
Date: Mon, 29 Mar 2010 10:12:38 -0700
From: John Adams <jna@...tter.com>
To: Tim Brown <timb@...-dimension.org.uk>
Cc: "Undisclosed.Recipients:"@lists.grok.org.uk,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Medium security hole in Varnish reverse proxy

Post some code that people can evaluate.

For starters, There's no reason why varnish ever has to run as root.
It never listens on privileged ports, and the C compiler is never
available over a network interface.

You can ask varnish to reload a configuration and recompile it, but
you'd have to have write access to the filesystem first.  You an also
only cause recompilation to occur if the admin interface is up and
running, which can be easily disabled.

Poul is probably correct. Any vulnerabilities in Varnish with regards
to privilege escalation are configuration issues.

-j

On Mon, Mar 29, 2010 at 12:49 AM, Tim Brown <timb@...-dimension.org.uk> wrote:
> Hi,
>
> I've identified a couple of security flaws affecting the Varnish reverse proxy
> which may allow privilege escalation. These issues were reported by email to
> the vendor but he feels that it is a configurational issue rather than a design
> flaw.  Whilst I can partially see his point in that the administrative
> interface can be disabled, I'm not convinced that making a C compiler
> available over a network interface without authentication is sound practice,
> especially when the resultant compiled code can be made to run as root rather
> trivially.
>
> Tim
> --
> Tim Brown
> <mailto:timb@...-dimension.org.uk>
> <http://www.nth-dimension.org.uk/>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ