Bug#799756: core-network: Privilege escalation via core-gui
forwarded 799756 https://github.com/coreemu/core/issues/75 thanks Hi all, Opened a formal bug[1] in current upstream site. [1] https://github.com/coreemu/core/issues/75 Regards, Eriberto
Bug#799756: core-network: Privilege escalation via core-gui
tags 799756 upstream thanks Hi all, I am waiting a reply from upstream. Thanks for your comments. Regards, Eriberto
Bug#799756: core-network: Privilege escalation via core-gui
Hi, On Tue, Sep 22, 2015 at 10:29:10AM +0300, Marius Gavrilescu wrote: > > Package: core-network > Version: 4.8-1 > Severity: critical > Tags: security > Justification: root security hole > > This bug was found and reported by asaladin on OFTC #debian. As he has > yet to report a bug, I'm reporting it for him. > > Steps to reproduce: > 1. Start core-gui as a normal user. > 2. Create a host from the toolbar on the left. > 3. Start the session using the green button on the toolbar. > 4. Double-click on the host > > Now you get a root shell. I've tested it by adding a line to /etc/passwd > and by creating a file in /root/. > > The bug is most probably in core-network-daemon, as that is the only > part that runs as root. The bug should be exploitable without using the > GUI, but I do not know enough about core-network to try to reproduce it > using the command-line tools. So this thread on the uptream discussion list http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-August/001837.html mention this as known. Gut feeling: should core-network maybe be removed from stable and possibly as well from unstable for stretch given the above? Regards, Salvatore
Bug#799756: core-network: Privilege escalation via core-gui
Looks like I haven't yet mastered the art of sending emails from phones. Trying again from a proper mail client. Salvatore Bonaccorsowrites: > http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-August/001837.html > mention this as known. > > Gut feeling: should core-network maybe be removed from stable and > possibly as well from unstable for stretch given the above? My two ideas for fixing this (that might or might not work): 1. Instead of running the daemon as root, would it be enough to give it just the capabilities it needs to "create namespaces and lowlevel network interfaces"? 2. If not, how about requiring root to talk to the daemon? Otherwise, removing it from jessie and stretch is a good idea. It shouldn't be removed from sid as this RC bug will keep it from migrating to stretch. -- Marius Gavrilescu signature.asc Description: PGP signature
Bug#799756: core-network: Privilege escalation via core-gui
Package: core-network Version: 4.8-1 Severity: critical Tags: security Justification: root security hole This bug was found and reported by asaladin on OFTC #debian. As he has yet to report a bug, I'm reporting it for him. Steps to reproduce: 1. Start core-gui as a normal user. 2. Create a host from the toolbar on the left. 3. Start the session using the green button on the toolbar. 4. Double-click on the host Now you get a root shell. I've tested it by adding a line to /etc/passwd and by creating a file in /root/. The bug is most probably in core-network-daemon, as that is the only part that runs as root. The bug should be exploitable without using the GUI, but I do not know enough about core-network to try to reproduce it using the command-line tools. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages core-network depends on: ii core-network-daemon 4.8-1 ii core-network-gui 4.8-1 core-network recommends no packages. Versions of packages core-network suggests: ii tcpdump 4.7.4-1 -- no debconf information -- Marius Gavrilescu signature.asc Description: PGP signature