Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 14:40:32 -0400 (EDT)
Subject: Re: kernel: fs.suid_dumpable=2 privilege escalation

Hash: SHA1


An alternative perspective might be:

  If any program is designed to execute code in a file (or perform
  a similar security-relevant action on the contents of a file)
  on the basis that the file exists in a specific directory, then
  the program is responsible for reasonably distinguishing between
  "intended files" and "stray files." The stray files must always
  be ignored.

You had mentioned content-based recognition of stray files, i.e., a
program should not choose a loose parsing strategy that results in
finding an executable item within a core dump. However, there can also
be name-based recognition.

An example of a program roughly consistent with this is run-parts -

  "the names must not end in .dpkg-old or .dpkg-dist or .dpkg-new or .dpkg-tmp"

Relative to the exploit
code for CVE-2006-2451, this would mean: cron is required to recognize
/etc/cron.d/core (regardless of content) as a stray file and ignore
its existence. This would similarly apply to other cron-like programs
that use the /etc/cron.d directory, or a different directory in an
analogous role.

The possible advantage of this perspective is that it covers the case
of root having a current working directory of /etc/cron.d while
running a non-setuid program. If that program happens to dump core, it
would seem to violate reasonable expectations for /etc/cron.d/core to
be processed as an intended file. Obviously the system could have an
unusual configuration in which /proc/sys/kernel/core_pattern has an
arbitrary unqualified pathname, not the usual "core" string, but maybe
that needs to be specified in the core_pattern documentation. For
example: "Some applications are designed to recognize core and the
core\..* pattern as stray files. For this reason, it is less safe to
choose arbitrary unqualified core_pattern values."

There hasn't been any final decision by MITRE. There might be multiple
CVEs, e.g.,

  - a Linux kernel CVE because unprivileged users can trigger creation
    of large files in otherwise-protected directories, leading to (at
    least) denial of service - consuming disk space on arbitrary
    filesystems without quotas, generating network traffic to
    slow/expensive remote filesystems, etc.

  - one CVE for each independent cron codebase that does not skip the
    /etc/cron.d/core filename and similar filenames, and has a parsing
    approach with a risk of executing something

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ