oss-sec mailing list archives
Re: subuid security patches for shadow package
From: Sebastian Krahmer <krahmer () suse com>
Date: Tue, 19 Jul 2016 14:51:19 +0200
On Tue, Jul 19, 2016 at 11:39:15AM +0200, Sebastian Krahmer wrote:
Hi The shadow package contains newuidmap and newgidmap suid binaries in order to allow users to take advantage of the userns feature of uid-mappings. I added patches here: https://bugzilla.suse.com/show_bug.cgi?id=979282 they consist of: 1) Removing getlogin() to find out about users. It relies on utmp, which is not a trusted base of info (group writable). 2) Cleaning up UID retrieval and computation. The 'long long' code was totally unclear to me, as the numbers are converted to ulong right afterwards anyway. Additionally there was a *int overflow*, which can be tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed) which produces no error but tries to write large "count" values to the uid_map file. Kernel may check for overflows itself, but it should not be allowed by a suid binary to be written in the first place.
After checking some kernels, it looks like this int wrap is exploitable as a LPE, as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire different view on the upper and lower bounds, making newuidmap overflow (and pass) and still being in bounds inside the kernel. Maybe it would be wise to align integer widths of kernel and the userspace tools. So everyone shipping newuidmap as mode 04755 should fix it. :) Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse com - SuSE Security Team
Current thread:
- subuid security patches for shadow package Sebastian Krahmer (Jul 19)
- Re: subuid security patches for shadow package Sebastian Krahmer (Jul 19)
- Re: subuid security patches for shadow package Eric W. Biederman (Jul 19)
- Re: [Pkg-shadow-devel] subuid security patches for shadow package Nicolas François (Jul 20)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Salvatore Bonaccorso (Jul 22)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Sebastian Krahmer (Jul 25)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Sebastian Krahmer (Jul 25)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Solar Designer (Jul 25)
- Re: subuid security patches for shadow package Eric W. Biederman (Jul 19)
- Re: subuid security patches for shadow package Sebastian Krahmer (Jul 19)