Hi!
wapiflapi <wapifl...@yahoo.fr> wrote:
|On 01/27/2017 07:45 PM, Steffen Nurpmeso wrote:
|> wapiflapi <wapifl...@yahoo.fr> wrote:
|>|This is a local root in s-nail tested on archlinux & ubuntu.
|>|I'm cc-ing BSD people after Steffen's suggestion.
|The problem is that the O_EXCL file is created with a user controlled
|path because the di.di_hostname and di.di_randstr are never checked.
|This means that using s-nail-privsep a normal user can create a file
|anywhere on the filesystem, which is a security problem.
Oh, damn! Yes, i have forgotten the hostname thing!
Fix in progress.
|The attached exploit demonstrates that it is in fact a security problem
|by abusing this to create a user controlled file in
|/usr/share/polkit-1/actions/backdoor.policy thereby giving root
|privileges to a normal user.
|
|The fchown only helps the exploit because now the user can write data to
|the file (before it's closed.)
May do so. Well. Sure. I see how many bugs i can introduce in
so few lines.
Thanks again for reporting this!
|> Thank you for using S-nail, and bringing this to my attention.
|> I will give you credit for the iteration.
|> Ciao.
|
|You're welcome :-) Again thank you for your contribution to OSS!
Pffff. ^.^
Ciao!
commit b1edf606 (HEAD -> refs/heads/notpushed)
Author: Steffen (Daode) Nurpmeso <stef...@sdaoden.eu>
AuthorDate: 2017-01-27 20:33:25 +0100
Commit: Steffen (Daode) Nurpmeso <stef...@sdaoden.eu>
CommitDate: 2017-01-27 20:33:25 +0100
FIX privsep.c vulnerability, II (forgot hostname!) (wapiflapi)
---
privsep.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/privsep.c b/privsep.c
index a2268f76..70b0a179 100644
--- a/privsep.c
+++ b/privsep.c
@@ -71,6 +71,7 @@ n_msleep(uiz_t millis, bool_t ignint){
int
main(int argc, char **argv){
+ char hostbuf[64];
struct n_dotlock_info di;
struct stat stb;
sigset_t nset, oset;
@@ -98,6 +99,21 @@ jeuse:
" fewest lines of code in order to reduce attack surface.\n"
" This program cannot be run by itself.\n");
exit(EXIT_USE);
+ }else{
+ /* Prevent one more path injection attack vector, but be friendly */
+ char const *ccp;
+ size_t i;
+ char *cp, c;
+
+ for(ccp = argv[7], cp = hostbuf, i = 0; (c = *ccp) != '\0'; ++cp, ++ccp){
+ *cp = (c == '/' ? '_' : c);
+ if(++i == sizeof(hostbuf) -1)
+ break;
+ }
+ *cp = '\0';
+ if(cp == hostbuf)
+ goto jeuse;
+ argv[7] = hostbuf;
}
di.di_file_name = argv[3];
--steffen
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
__________________________________
S-nail-users@lists.sourceforge.net
