Bug#799756: core-network: Privilege escalation via core-gui

2015-10-10 Thread Eriberto Mota 
forwarded 799756 https://github.com/coreemu/core/issues/75
thanks


Hi all,

Opened a formal bug[1] in current upstream site.

[1] https://github.com/coreemu/core/issues/75

Regards,

Eriberto

Bug#799756: core-network: Privilege escalation via core-gui

2015-10-07 Thread Eriberto Mota 
tags 799756 upstream
thanks


Hi all,

I am waiting a reply from upstream.

Thanks for your comments.

Regards,

Eriberto

Bug#799756: core-network: Privilege escalation via core-gui

2015-09-22 Thread Salvatore Bonaccorso 
Hi,

On Tue, Sep 22, 2015 at 10:29:10AM +0300, Marius Gavrilescu wrote:
> 
> Package: core-network
> Version: 4.8-1
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> This bug was found and reported by asaladin on OFTC #debian. As he has
> yet to report a bug, I'm reporting it for him.
> 
> Steps to reproduce:
> 1. Start core-gui as a normal user.
> 2. Create a host from the toolbar on the left.
> 3. Start the session using the green button on the toolbar.
> 4. Double-click on the host
> 
> Now you get a root shell. I've tested it by adding a line to /etc/passwd
> and by creating a file in /root/.
> 
> The bug is most probably in core-network-daemon, as that is the only
> part that runs as root. The bug should be exploitable without using the
> GUI, but I do not know enough about core-network to try to reproduce it
> using the command-line tools.

So this thread on the uptream discussion list
http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-August/001837.html
mention this as known.

Gut feeling: should core-network maybe be removed from stable and
possibly as well from unstable for stretch given the above?

Regards,
Salvatore

Bug#799756: core-network: Privilege escalation via core-gui

2015-09-22 Thread Marius Gavrilescu 

Looks like I haven't yet mastered the art of sending emails from phones.
Trying again from a proper mail client.

Salvatore Bonaccorso  writes:

> http://pf.itd.nrl.navy.mil/pipermail/core-users/2015-August/001837.html
> mention this as known.
>
> Gut feeling: should core-network maybe be removed from stable and
> possibly as well from unstable for stretch given the above?

My two ideas for fixing this (that might or might not work):
1. Instead of running the daemon as root, would it be enough to give it
   just the capabilities it needs to "create namespaces and lowlevel
   network interfaces"?
2. If not, how about requiring root to talk to the daemon?

Otherwise, removing it from jessie and stretch is a good idea. It
shouldn't be removed from sid as this RC bug will keep it from migrating
to stretch.
-- 
Marius Gavrilescu


signature.asc
Description: PGP signature

Bug#799756: core-network: Privilege escalation via core-gui

2015-09-22 Thread Marius Gavrilescu 

Package: core-network
Version: 4.8-1
Severity: critical
Tags: security
Justification: root security hole

This bug was found and reported by asaladin on OFTC #debian. As he has
yet to report a bug, I'm reporting it for him.

Steps to reproduce:
1. Start core-gui as a normal user.
2. Create a host from the toolbar on the left.
3. Start the session using the green button on the toolbar.
4. Double-click on the host

Now you get a root shell. I've tested it by adding a line to /etc/passwd
and by creating a file in /root/.

The bug is most probably in core-network-daemon, as that is the only
part that runs as root. The bug should be exploitable without using the
GUI, but I do not know enough about core-network to try to reproduce it
using the command-line tools.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages core-network depends on:
ii  core-network-daemon  4.8-1
ii  core-network-gui 4.8-1

core-network recommends no packages.

Versions of packages core-network suggests:
ii  tcpdump  4.7.4-1

-- no debconf information
-- 
Marius Gavrilescu


signature.asc
Description: PGP signature