oss-sec mailing list archives
Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation
From: Sebastian Krahmer <krahmer () suse de>
Date: Fri, 26 Aug 2011 10:43:55 +0200
Hi, You probably dont take into account the chown() that happens in lightdm. Just unlink the created ~/.dmrc or ~/.Xauthority files after creation and make a symlink to /etc/passwd to chown it to yourself. However I didnt dig deep enough into it to write an exploit as I dont have a working lightdm setup. The correct behavior is to temporarily drop euid/fsuid to that of the user if doing anything with his files. The PAM issue that I was curious about was that a pam_start() etc is done for the greeter-user (which I expect to be some "lightdm" user)? I would expect all pam_ calls are only done for the user who is actually about to login. The question that came up to me was whether pam_environment from the user would have impact on uid-0 called programs/scripts since you transfer the PAM env to the process env. Sebastian On Thu, Aug 25, 2011 at 05:54:23PM +0200, Yves-Alexis Perez wrote:
On mer., 2011-08-24 at 20:55 +0200, Yves-Alexis Perez wrote:And, out of curiosity, how would you achieve privilege escalation? You should be able to erase/rewrite arbitrary files, including /etc/shadow, but you don't really have control on what's written there.In gdm (CVE-2011-0727 I guess) the issue was that a g_file_copy() was run as root from files under user control (.dmrc and the avatar), to a cache dir with write permissions (afaict). So it was easy to put whatever stuff you need in the original file and make a symlink to /etc/shadow in the destination folder so the g_file_copy() would erase that: res = g_file_copy (src_file, dst_file, G_FILE_COPY_OVERWRITE | G_FILE_COPY_NOFOLLOW_SYMLINKS, NULL, NULL, NULL, &error); I'm not too sure what G_FILE_COPY_OVERWRITE means, if it truncate()s and write over of if it unlink()s and start fresh (digging in glib to find out). Apparenlty in the fallback case (not sure if it's the case here) it ends up doing a g_file_replace()). In any case, in lightdm case, for .Xauthority file it uses g_file_replace() which creates a temporary file and then rename over the new file, so in the worst case you overwrite a system file with xauthority data. Same thing for .dmrc, you can overwrite system files but with dmrc data which look like [Desktop] Session=xfce Lang=fr_FR.UTF-8 so it doesn't look easy to gain root access with that. LightDM maintains a cache for dmrc files in /var/cache/lightdm but the folder is created 0700 so it doesn't look like one can put symlinks there and have it use a user-controled .dmrc. All in all, I'm not too sure there's a privilege escalation for Xauthority/.dmrc files (but if one exists, I'm interested in how to do it, by curiosity). But you still damage pretty much any arbitrary file, which is still an easy DoS. Regards, -- Yves-Alexis
-- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team --- SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
Current thread:
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 25)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Sebastian Krahmer (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 26)
- Re: Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Solar Designer (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 29)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Solar Designer (Sep 05)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Yves-Alexis Perez (Aug 26)
- Re: [Pkg-xfce-devel] Bug#639151: Bug#639151: Bug#639151: Local privilege escalation Sebastian Krahmer (Aug 26)