Date: Wed, 20 Jul 2016 11:14:53 -0400 (EDT) From: cve-assign@...re.org To: krahmer@...e.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: subuid security patches for shadow package -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > 1) Removing getlogin() to find out about users. > It relies on utmp, which is not a trusted base of info (group writable). Possibly the concern is that the utmp entry might have a spoofed username associated with the correct uid, and the attacker's goal is to obtain unauthorized group privileges. We have not studied the code in detail, but shadow-4.2.1/src/newgrp.c seems to have this sequence of calls: pwd = get_my_pwent (); [ note that this calls getlogin ] grp = xgetgrgid (pwd->pw_gid); gid = grp->gr_gid; setgid (gid) Use CVE-2016-6251 for the potentially unsafe use of getlogin. > there was a *int overflow*, which can be > tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed) > which produces no error but tries to write large "count" values to the uid_map > file >> After checking some kernels, it looks like this int wrap is exploitable as a LPE, >> as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) >> as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire >> different view on the upper and lower bounds, making newuidmap overflow (and pass) >> and still being in bounds inside the kernel. >> >> So everyone shipping newuidmap as mode 04755 should fix it. :) shadow-4.2.1/src/Makefile.in has: suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap Use CVE-2016-6252 for the incorrect integer handling. > From: ebiederm@...ssion.com (Eric W. Biederman) > > Adding the shadow-development list, so there is a chance other people > familiar with the code can comment as well. There are no replies yet after the http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2016-July/011017.html post. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXj5TsAAoJEHb/MwWLVhi2x6cP/1MqBp/UizSC/Omsgd08miga HwWaU2OmWD+3eXXvyHMevNaAKrtgk385Hb7anlZmFL3g+qveQ6z1mlfpOM0RnzP2 1Ugbuj6MWNva98dHEXXIqfl1imsXmUJVsFGZcDZ6lHiLjCDiwWWs6F6R+N3dNKDn dxcG70pxp8Id63Gednmfv+kzE8STW6cephtY7Iwm2YDBrWfVuDbuNMYOODnfv3Sq CPN+U+NrzFmZONMOyhsq0FxhPRYSEAiM2Z90su0p1hLXW+OEJ4r/2ntPgbOoaN2y jUEFLlsDLrQqTjyhq+l6APHwR+v4riLqdCpen6Mu/p1d6IY880jjWpLAxX02mQw1 55o00PaKHutIusR7CJo+6GnYeL+DqViUB6ROwZhvScxsFDp/qug3awgjPr5BY4Pk MtawRi5Ul5lvn1vZiHTnBFjPsg1GrBKSWHtI51wnyPdm/R75AwriHBEVZvBJAczh ej7WFm0aNg6HfTIJsUWkqP27n7BYjukGYC6ntbDX+TBPLeRC4f9bhqPAHtDsVvRm zGaPylqu7hskxe5vb8fkht37jgjBgxn2cAcaPmT8vYR4eFqYk3oKP+ON4vON+nbD 6ofFyLMqTgzKJySLDsOKZ0nYbIsxceJzqEuwMyl/q9QEbhEop0rFq0UmeppUoZg3 3bg8yO0WagWNIOKO+lEd =+wdJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ