lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 6 Dec 2017 09:01:34 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Kevin Cernekee <cernekee@...omium.org>
Cc:     netfilter-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfilter: xt_osf: Add missing permission checks

On Tue, Dec 05, 2017 at 03:42:41PM -0800, Kevin Cernekee wrote:
> The capability check in nfnetlink_rcv() verifies that the caller
> has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
> However, xt_osf_fingers is shared by all net namespaces on the
> system.  An unprivileged user can create user and net namespaces
> in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
> check:
> 
>     vpnns -- nfnl_osf -f /tmp/pf.os
> 
>     vpnns -- nfnl_osf -f /tmp/pf.os -d
> 
> These non-root operations successfully modify the systemwide OS
> fingerprint list.  Add new capable() checks so that they can't.

Applied, thanks Kevin.

Powered by blists - more mailing lists