Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
Le 21/10/2014 à 12:06, Ondřej Surý a écrit : > This change will be included in next wheezy update of PHP. Debian Wheezy has Sed 4.2.1, whereas "-z" option was added in Sed 4.2.2. As a consequence /usr/lib/php5/sessionclean is broken on Debian Stable! Please fix. -- Bernard Massot -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
> Von: Ondřej Surý [mailto:ond...@sury.org]
>
> This should then fix even your case...
>
> [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "/var/lib/php5" -F0 | sed
> -zne "s/^n//p" | xargs -0i echo touch -c -h "'{}'"
>
> touch -c -h '/var/lib/php5/xxx\'
> touch -c -h 'n/var/lib/php5/passwd'
Looks really good, I'm at my wits end with any more comments/improvements.
Only things I could think of
* strange behaviour with multibyte encodings (never dealt with that on C level)
* lsof peculiarities I did not notice till now (e.g. races)
[Snip]
smime.p7s
Description: S/MIME cryptographic signature
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
This should then fix even your case...
[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "/var/lib/php5" -F0 | sed
-zne "s/^n//p" | xargs -0i echo touch -c -h "'{}'"
touch -c -h '/var/lib/php5/xxx\'
touch -c -h 'n/var/lib/php5/passwd'
Right?
Cheers,
Ondrej
On Wed, Oct 22, 2014, at 15:14, Fiedler Roman wrote:
> > Von: Ondřej Surý [mailto:ond...@sury.org]
> >
> > Control: tags -1 +pending
> >
> > On Tue, Oct 21, 2014, at 11:33, Ondřej Surý wrote:
> > > On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > > > > Von: Ondřej Surý [mailto:ond...@sury.org]
> > > > >
> > > > > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > > > > Von: Ondřej Surý [mailto:ond...@sury.org]
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > > > > >
> > > > > > This will fix it for arbitrary symlinks, the only remaining issues
> > > > > > would
> > > > > > be
> > > > > >
> > > > > > a) keeping open a file ".. ", which will update the parent
> > > > > > directory
> > > > > > modification time.
> > > > >
> > > > > Which parent directory? The session dir or the symlink targe parent
> > > > > directory?
> > > >
> > > > The /var/lib directory: Since the the parsing of the lsof output is
> > > > broken (awk uses "$9"), an open file ".. " will cause touch -c
> > > > "/var/lib/php5/.." without involving any symlinks.
> > >
> > > I see...
> >
> > Thanks for the analysis, while the impact is very low, it's worth
> > updating.
> >
> > > [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
> > > | cut -b 2- | xargs -i touch -c -h {}
> >
> > This change will be included in next wheezy update of PHP.
>
> No, this seems not to solve it (I hope I haven't screwed something up
> while testing), consider the sequence (PID ordering is important!):
>
> mkdir -p $'/var/lib/php5/xxx\n/var/lib'
> ln -s /etc $'/var/lib/php5/xxx\n/var/lib/php5'
> sleep 1000 > '/var/lib/php5/xxx\' &
> sleep 1000 > /var/lib/php5/passwd &
>
> Even touch -h does not help here, only kernel symlink protection prevents
> damage.
>
> But maybe this is a problem with xargs usage? If it is an xargs-bug this
> would have a much broader scope, more another topic for security@d.
>
> > > JFTR jessie&sid has a new script that takes a different approach and
> > > might suffer from the same bug if you manage to open a file in
> > > /var/lib/php5/sessions/ with active php5 process.
> >
> > If you find a similar vulnerability in the new session script, please
> > open a new bug.
>
> Looking at the new script, I guess that it should be possible for any
> user allowed to write to sessions to update any file he has read access
> to it. But of course, it is not so simple as with old script.
>
> To proof this, I would have to prepare a machine with sid (unless you
> have one ready with remote SSH for testing)
> Email had 1 attachment:
> + smime.p7s
> 8k (application/pkcs7-signature)
--
Ondřej Surý
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
On Wed, Oct 22, 2014, at 15:14, Fiedler Roman wrote: > To proof this, I would have to prepare a machine with sid (unless you > have one ready with remote SSH for testing) You don't really need a sid machine, just copy the script from the package. Cheers, -- Ondřej Surý Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
> Von: Ondřej Surý [mailto:ond...@sury.org]
>
> Control: tags -1 +pending
>
> On Tue, Oct 21, 2014, at 11:33, Ondřej Surý wrote:
> > On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > > > Von: Ondřej Surý [mailto:ond...@sury.org]
> > > >
> > > > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > > > Von: Ondřej Surý [mailto:ond...@sury.org]
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > > > >
> > > > > This will fix it for arbitrary symlinks, the only remaining issues
> > > > > would
> > > > > be
> > > > >
> > > > > a) keeping open a file ".. ", which will update the parent
> > > > > directory
> > > > > modification time.
> > > >
> > > > Which parent directory? The session dir or the symlink targe parent
> > > > directory?
> > >
> > > The /var/lib directory: Since the the parsing of the lsof output is
> > > broken (awk uses "$9"), an open file ".. " will cause touch -c
> > > "/var/lib/php5/.." without involving any symlinks.
> >
> > I see...
>
> Thanks for the analysis, while the impact is very low, it's worth
> updating.
>
> > [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
> > | cut -b 2- | xargs -i touch -c -h {}
>
> This change will be included in next wheezy update of PHP.
No, this seems not to solve it (I hope I haven't screwed something up while
testing), consider the sequence (PID ordering is important!):
mkdir -p $'/var/lib/php5/xxx\n/var/lib'
ln -s /etc $'/var/lib/php5/xxx\n/var/lib/php5'
sleep 1000 > '/var/lib/php5/xxx\' &
sleep 1000 > /var/lib/php5/passwd &
Even touch -h does not help here, only kernel symlink protection prevents
damage.
But maybe this is a problem with xargs usage? If it is an xargs-bug this would
have a much broader scope, more another topic for security@d.
> > JFTR jessie&sid has a new script that takes a different approach and
> > might suffer from the same bug if you manage to open a file in
> > /var/lib/php5/sessions/ with active php5 process.
>
> If you find a similar vulnerability in the new session script, please
> open a new bug.
Looking at the new script, I guess that it should be possible for any user
allowed to write to sessions to update any file he has read access to it. But
of course, it is not so simple as with old script.
To proof this, I would have to prepare a machine with sid (unless you have one
ready with remote SSH for testing)
smime.p7s
Description: S/MIME cryptographic signature
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
Control: tags -1 +pending
On Tue, Oct 21, 2014, at 11:33, Ondřej Surý wrote:
> On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > > Von: Ondřej Surý [mailto:ond...@sury.org]
> > >
> > > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > > Von: Ondřej Surý [mailto:ond...@sury.org]
> > > > >
> > > > > Hi,
> > > > >
> > > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > > >
> > > > This will fix it for arbitrary symlinks, the only remaining issues would
> > > > be
> > > >
> > > > a) keeping open a file ".. ", which will update the parent directory
> > > > modification time.
> > >
> > > Which parent directory? The session dir or the symlink targe parent
> > > directory?
> >
> > The /var/lib directory: Since the the parsing of the lsof output is
> > broken (awk uses "$9"), an open file ".. " will cause touch -c
> > "/var/lib/php5/.." without involving any symlinks.
>
> I see...
Thanks for the analysis, while the impact is very low, it's worth
updating.
> [ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
> | cut -b 2- | xargs -i touch -c -h {}
This change will be included in next wheezy update of PHP.
> JFTR jessie&sid has a new script that takes a different approach and
> might suffer from the same bug if you manage to open a file in
> /var/lib/php5/sessions/ with active php5 process.
If you find a similar vulnerability in the new session script, please
open a new bug.
Cheers,
--
Ondřej Surý
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
On Tue, Oct 21, 2014, at 11:16, Fiedler Roman wrote:
> > Von: Ondřej Surý [mailto:ond...@sury.org]
> >
> > On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote:
> > > > Von: Ondřej Surý [mailto:ond...@sury.org]
> > > >
> > > > Hi,
> > > >
> > > > TL;DR: "s/touch -c/touch -c -h/", right?
> > >
> > > This will fix it for arbitrary symlinks, the only remaining issues would
> > > be
> > >
> > > a) keeping open a file ".. ", which will update the parent directory
> > > modification time.
> >
> > Which parent directory? The session dir or the symlink targe parent
> > directory?
>
> The /var/lib directory: Since the the parsing of the lsof output is
> broken (awk uses "$9"), an open file ".. " will cause touch -c
> "/var/lib/php5/.." without involving any symlinks.
I see...
[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -Fn | grep -E "^n"
| cut -b 2- | xargs -i touch -c -h {}
JFTR jessie&sid has a new script that takes a different approach and
might suffer from the same bug if you manage to open a file in
/var/lib/php5/sessions/ with active php5 process.
Cheers,
--
Ondřej Surý
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
On Tue, Oct 21, 2014, at 10:55, Fiedler Roman wrote: > > Von: Ondřej Surý [mailto:ond...@sury.org] > > > > Hi, > > > > TL;DR: "s/touch -c/touch -c -h/", right? > > This will fix it for arbitrary symlinks, the only remaining issues would > be > > a) keeping open a file ".. ", which will update the parent directory > modification time. Which parent directory? The session dir or the symlink targe parent directory? > b) keeping open a file "[otherfilename] [random]", which will prevent > arbitrary other sessions from timing out. Since most likely malicious > process should be "www-data", this is not of any significance. The httpd user (www-data) has access to all session files if the attacker know the session name. Cheers, -- Ondřej Surý Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#766147: [php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled
Hi,
TL;DR: "s/touch -c/touch -c -h/", right?
Cheers,
Ondrej
On Tue, Oct 21, 2014, at 09:52, Fiedler Roman wrote:
> Package: php5-common
> Version: 5.4.4-14+deb7u14
> Tags: security
>
> /usr/lib/php5/sessionclean from [1] enables any process allowed to create
> entries in /var/lib/php5 to adjust the modification time of any file by
> waiting for the /etc/cron.d/php5 session cleanup job to run. This
> requires
> /proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the
> default in Debian 7 Wheezy and up according to information from Debian
> security team.
>
> Even for affected systems, the impact might be small, just annoying:
>
> * backup/IDS might be unhappy when file modification time is changed
> every
> 30min
> * some spoolers might work differently since stale file could be
> prevented
> from reaching required age for next action
> * some privileged /proc or /sys entries might not handle modification
> time
> update correctly or react in a strange way
> * Sudo credentials cache might be affected (not checked)
>
> To my judgement, the session cleanup code does _NOT_ allow to create
> arbitrary files ("touch -c" is used), hence it would not be possible to
> use
> this to create e.g. /etc/suid-debug
>
> POC:
>
> su -s /bin/bash nobody
> cd /var/lib/php5
> ln -s /etc/passwd xxx
> cat > "xxx yyy"
> # wait
>
> [1]
> http://http.us.debian.org/debian/pool/main/p/php5/php5-common_5.4.4-14+deb7u
> 14_i386.deb
>
> ___
> pkg-php-maint mailing list
> pkg-php-ma...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + smime.p7s
> 8k (application/pkcs7-signature)
--
Ondřej Surý
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
