Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Jun 2016 13:41:22 +0200
From: Tomas Hoger <thoger@...hat.com>
To: Sebastian Krahmer <krahmer@...e.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: SELinux troubles

On Tue, 21 Jun 2016 11:45:01 +0200 Sebastian Krahmer wrote:

> 1)
> 
> This bug is mitigated since setroubleshoot that is found on RHEL 7.2,
> by running it as a dedicated user (untested).
> 
> Shell injection issue in setroubleshoot/audit_data.py:
> 
> def _set_tpath(self):
> [...]
> 	if path.startswith("/") == False and inodestr:
> 		import subprocess
> 		command = "locate -b '\%s'" % path
> 		try:
> 	    	    output = subprocess.check_output(command,
> 		 	                             stderr=subprocess.STDOUT,
>                                                      shell=True)
> [...]
> 
> 
> taking 'path' off AVC denial messages and constructing a command thats
> passed to "sh -c".  o.O
> Note that AVC denial messages appear outside of containers, so
> a setroubleshoot is usually run on the host, processing AVC messages
> from containers. This allows for an easy breakout.
> 
> 
> 2)
> 
> I did not test this, but even though the run_fix() function in
> SetroubleshootFixit.py is protected by auth_admin polkit rules, it looks
> like theres good chance to pass XML documents via setroubleshoots
> RPC/DBUS API that contains evil local_id or analysis_id fields and trick
> real admins to "fix" AVC denials that inject code:
> 
> [...]
>     def run_fix(self, local_id, analysis_id):
>          import commands
>          command = "sealert -f %s -P %s" % ( local_id, analysis_id)
>          return commands.getoutput(command)
> [...]
> 
> This is not mitigated by the run-as-user, since SetroubleshootFixit.py
> still runs as root (and probably needs to).

CVE-2016-4989 was assigned to the issues above.


There are additional similar problems in setroubleshoot and
setroubleshoot-plugins:

- CVE-2016-4445, setroubleshoot, affecting 'sealert --fix'.  Problem was
  already fixed in version 3.2.23.

  https://github.com/fedora-selinux/setroubleshoot/commit/2d12677629ca319310f6263688bb1b7f676c01b7

- CVE-2016-4444, setroubleshoot-plugins, allow_execmod plugin.  Also
  previously fixed in versoin 3.2.23.

  https://github.com/fedora-selinux/setroubleshoot/commit/5cd60033ea7f5bdf8c19c27b23ea2d773d9b09f5

- CVE-2016-4446, setroubleshoot-plugins, allow_execstack plugin.
  Similar to the previous one, only using commands.getoutput instead of
  commands.getstatusoutput.

  https://github.com/fedora-selinux/setroubleshoot/blob/setroubleshoot-plugins-3.3.4/plugins/src/allow_execstack.py#L29

-- 
Tomas Hoger / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ