| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPWzz4xkw3mODZbucgLgambG6zUE02gF+vboT8vL+afOhaAu-g@mail.gmail.com> Date: Sun, 20 Sep 2020 11:59:54 +0200 From: Imre Rad <radimre83@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Google's osconfig agent - local privilege escalation Osconfig is a beta service by Google, a poll based "desired state configuration" solution: "You can use the OS configuration management service to deploy, query, and maintain consistent configurations (desired state and software) for your VM instance (VM)." VMs on the Compute Engine have a privileged agent process called "google_osconfig_agent" running by default. The agent was vulnerable to local privilege escalation due to relying on a predictable path inside the /tmp directory. An unprivileged malicious process could abuse this flaw to win a race condition and take over the files managed by the high privileged agent process and thus execute arbitrary commands as the root user (full capabilities). Exploitation was possible only during an osconfig recipe being deployed. Google has fixed this issue recently (2020-09-05); remediation is to upgrade the process from the OS package repositories. (VMs that were created since the new version was published, are not affected.) More info and proof of concept code can be found here: https://github.com/irsl/google-osconfig-privesc More info about osconfig: https://cloud.google.com/compute/docs/os-config-management Imre _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists