Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 21 Jun 2016 11:45:01 +0200
From: Sebastian Krahmer <krahmer@...e.com>
To: oss-security@...ts.openwall.com
Subject: SELinux troubles


Hi

As per list policy, this is the repost to oss-sec. CRD was
set to today. PoC may be found as straight-shooter.c inside
old troubleshooter git.
Please also note the container-damaging beauty this time.

Sebastian

----8<---------------

Hi

Due to a review request, it was necessary to have a look at setroubleshoot
again.

setroubleshoot (still) contains various code injection vulns, leading to
full (unconfined) root.
PoC has been tested on CentOS 6.6, 6.8 and 7. PoC as well works inside
Docker containers to achieve running in a setroubleshoot domain with
uid 0 on "the host". (PoC most likely also works on RHEL 6.x and 7 if
CentOS maps to it).
This is not CVE-2015-1815 and PoC runs on systems that are patched against it.

Here are the details:


1)

This bug is mitigated since setroubleshoot that is found on RHEL 7.2,
by running it as a dedicated user (untested).

Shell injection issue in setroubleshoot/audit_data.py:

def _set_tpath(self):
[...]
	if path.startswith("/") == False and inodestr:
		import subprocess
		command = "locate -b '\%s'" % path
		try:
	    	    output = subprocess.check_output(command,
		 	                             stderr=subprocess.STDOUT,
                                                     shell=True)
[...]


taking 'path' off AVC denial messages and constructing a command thats
passed to "sh -c".  o.O
Note that AVC denial messages appear outside of containers, so
a setroubleshoot is usually run on the host, processing AVC messages
from containers. This allows for an easy breakout.


2)

I did not test this, but even though the run_fix() function in
SetroubleshootFixit.py is protected by auth_admin polkit rules, it looks
like theres good chance to pass XML documents via setroubleshoots
RPC/DBUS API that contains evil local_id or analysis_id fields and trick
real admins to "fix" AVC denials that inject code:

[...]
    def run_fix(self, local_id, analysis_id):
         import commands
         command = "sealert -f %s -P %s" % ( local_id, analysis_id)
         return commands.getoutput(command)
[...]

This is not mitigated by the run-as-user, since SetroubleshootFixit.py
still runs as root (and probably needs to).


There are various other occurences of subprocess calls for "rpm" and others,
which have already been mentioned in the CVE-2015-1815 report but probably
still unfixed because of "missing PoC".

The codebase is huge, and I wonder what kind of lax handling and
user-surfacing code inside critical SELinux components this is, in particular
where SELinux' aim is to harden the system.

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.com - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.