Hi! wapiflapi <wapifl...@yahoo.fr> wrote: |On 01/27/2017 07:45 PM, Steffen Nurpmeso wrote: |> wapiflapi <wapifl...@yahoo.fr> wrote: |>|This is a local root in s-nail tested on archlinux & ubuntu. |>|I'm cc-ing BSD people after Steffen's suggestion.
|The problem is that the O_EXCL file is created with a user controlled |path because the di.di_hostname and di.di_randstr are never checked. |This means that using s-nail-privsep a normal user can create a file |anywhere on the filesystem, which is a security problem. Oh, damn! Yes, i have forgotten the hostname thing! Fix in progress. |The attached exploit demonstrates that it is in fact a security problem |by abusing this to create a user controlled file in |/usr/share/polkit-1/actions/backdoor.policy thereby giving root |privileges to a normal user. | |The fchown only helps the exploit because now the user can write data to |the file (before it's closed.) May do so. Well. Sure. I see how many bugs i can introduce in so few lines. Thanks again for reporting this! |> Thank you for using S-nail, and bringing this to my attention. |> I will give you credit for the iteration. |> Ciao. | |You're welcome :-) Again thank you for your contribution to OSS! Pffff. ^.^ Ciao! commit b1edf606 (HEAD -> refs/heads/notpushed) Author: Steffen (Daode) Nurpmeso <stef...@sdaoden.eu> AuthorDate: 2017-01-27 20:33:25 +0100 Commit: Steffen (Daode) Nurpmeso <stef...@sdaoden.eu> CommitDate: 2017-01-27 20:33:25 +0100 FIX privsep.c vulnerability, II (forgot hostname!) (wapiflapi) --- privsep.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/privsep.c b/privsep.c index a2268f76..70b0a179 100644 --- a/privsep.c +++ b/privsep.c @@ -71,6 +71,7 @@ n_msleep(uiz_t millis, bool_t ignint){ int main(int argc, char **argv){ + char hostbuf[64]; struct n_dotlock_info di; struct stat stb; sigset_t nset, oset; @@ -98,6 +99,21 @@ jeuse: " fewest lines of code in order to reduce attack surface.\n" " This program cannot be run by itself.\n"); exit(EXIT_USE); + }else{ + /* Prevent one more path injection attack vector, but be friendly */ + char const *ccp; + size_t i; + char *cp, c; + + for(ccp = argv[7], cp = hostbuf, i = 0; (c = *ccp) != '\0'; ++cp, ++ccp){ + *cp = (c == '/' ? '_' : c); + if(++i == sizeof(hostbuf) -1) + break; + } + *cp = '\0'; + if(cp == hostbuf) + goto jeuse; + argv[7] = hostbuf; } di.di_file_name = argv[3]; --steffen ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot __________________________________ S-nail-users@lists.sourceforge.net