lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20190617185815.3949-1-carmeli.tamir@gmail.com>
Date:   Mon, 17 Jun 2019 14:58:15 -0400
From:   Carmeli Tamir <carmeli.tamir@...il.com>
To:     viro@...iv.linux.org.uk, carmeli.tamir@...il.com,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] fs/binfmt: Changed order of elf and misc to prevent privilege escalation

The misc format handler is configured to work in many boards
and distributions, exposing a  volnurability that enables an 
attacker with a temporary root access to configure the system
to gain a hidden persistent root acces. This can be easily 
demonstrated using https://github.com/toffan/binfmt_misc .

According to binfmt_misc documentation 
(https://lwn.net/Articles/679310/), the handler is used
to execute more binary formats, e.g. execs compiled
for different architectures. After this patch, every 
mentioned example in the documentation shall work.

I tested this patch using a "positive example" - running
and ARM executable on an x86 machine using a qemu-arm misc 
handler, and a "negative example" of running the demostration 
by toffan I mention above. Before the patch both examples 
work, and after the patch only the positive example work
where the volnurability is prevented.

Signed-off-by: Carmeli Tamir <carmeli.tamir@...il.com>
---
 fs/binfmt_elf.c  | 2 +-
 fs/binfmt_misc.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index d4e11b2e04f6..3a2afe84943c 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -2411,7 +2411,7 @@ static int elf_core_dump(struct coredump_params *cprm)
 
 static int __init init_elf_binfmt(void)
 {
-	register_binfmt(&elf_format);
+	insert_binfmt(&elf_format);
 	return 0;
 }
 
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index b8e145552ec7..f4a9e1154cae 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -859,7 +859,7 @@ static int __init init_misc_binfmt(void)
 {
 	int err = register_filesystem(&bm_fs_type);
 	if (!err)
-		insert_binfmt(&misc_format);
+		register_binfmt(&misc_format);
 	return err;
 }
 
-- 
2.21.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ