Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 22:10:52 -0500
From: Steve Grubb <sgrubb@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>
Subject: Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly

On Thursday, January 24, 2013 05:53:38 PM Kurt Seifried wrote:
> So again, if you know of a way to exploit this please let us know,
> otherwise we will continue to consider this a security hardening issue
> and not a security vulnerability.

The way these supplemental group issues work is that depending on the groups 
file, the daemon may try to change to user/group "nobody", but retains group 
root. This means that any file with group root write privs could be 
replaced/altered. My experience is that distros have enough files that 
permissions are wrong on something, somewhere. Its just a matter of finding it.

find / -type f -perm -00020 -printf "%-60p %g\t%M\n" 2>/dev/null

So, it boils down to the problem isn't a vulnerability by itself. However, 
should a _real_ vulnerability be found in the program, the CVSS score would be 
higher because the program has CWE-250.

-Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.