Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Jul 2016 11:14:53 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: subuid security patches for shadow package

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> 1) Removing getlogin() to find out about users.
>    It relies on utmp, which is not a trusted base of info (group writable).

Possibly the concern is that the utmp entry might have a spoofed
username associated with the correct uid, and the attacker's goal is
to obtain unauthorized group privileges. We have not studied the code
in detail, but shadow-4.2.1/src/newgrp.c seems to have this sequence
of calls:

  pwd = get_my_pwent ();
     [ note that this calls getlogin ]
  grp = xgetgrgid (pwd->pw_gid);
  gid = grp->gr_gid;
  setgid (gid)

Use CVE-2016-6251 for the potentially unsafe use of getlogin.


>    there was a *int overflow*, which can be
>    tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed)
>    which produces no error but tries to write large "count" values to the uid_map
>    file

>> After checking some kernels, it looks like this int wrap is exploitable as a LPE,
>> as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64)
>> as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire
>> different view on the upper and lower bounds, making newuidmap overflow (and pass)
>> and still being in bounds inside the kernel.
>> 
>> So everyone shipping newuidmap as mode 04755 should fix it. :)

shadow-4.2.1/src/Makefile.in has:

  suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap

Use CVE-2016-6252 for the incorrect integer handling.


> From: ebiederm@...ssion.com (Eric W. Biederman)
> 
> Adding the shadow-development list, so there is a chance other people
> familiar with the code can comment as well.

There are no replies yet after the
http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2016-July/011017.html
post.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXj5TsAAoJEHb/MwWLVhi2x6cP/1MqBp/UizSC/Omsgd08miga
HwWaU2OmWD+3eXXvyHMevNaAKrtgk385Hb7anlZmFL3g+qveQ6z1mlfpOM0RnzP2
1Ugbuj6MWNva98dHEXXIqfl1imsXmUJVsFGZcDZ6lHiLjCDiwWWs6F6R+N3dNKDn
dxcG70pxp8Id63Gednmfv+kzE8STW6cephtY7Iwm2YDBrWfVuDbuNMYOODnfv3Sq
CPN+U+NrzFmZONMOyhsq0FxhPRYSEAiM2Z90su0p1hLXW+OEJ4r/2ntPgbOoaN2y
jUEFLlsDLrQqTjyhq+l6APHwR+v4riLqdCpen6Mu/p1d6IY880jjWpLAxX02mQw1
55o00PaKHutIusR7CJo+6GnYeL+DqViUB6ROwZhvScxsFDp/qug3awgjPr5BY4Pk
MtawRi5Ul5lvn1vZiHTnBFjPsg1GrBKSWHtI51wnyPdm/R75AwriHBEVZvBJAczh
ej7WFm0aNg6HfTIJsUWkqP27n7BYjukGYC6ntbDX+TBPLeRC4f9bhqPAHtDsVvRm
zGaPylqu7hskxe5vb8fkht37jgjBgxn2cAcaPmT8vYR4eFqYk3oKP+ON4vON+nbD
6ofFyLMqTgzKJySLDsOKZ0nYbIsxceJzqEuwMyl/q9QEbhEop0rFq0UmeppUoZg3
3bg8yO0WagWNIOKO+lEd
=+wdJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ