Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 26 Dec 2016 14:51:27 -0500
From: Michael Orlitzky <michael@...itzky.com>
To: oss-security@...ts.openwall.com
Subject: Incomplete fix for CVE-2016-8641 (Nagios local root via (sym)links)

I don't know what I'm doing, and could use some advice.

CVE-2016-8641 relates to a symlink attack in the Nagios init script. If
he wishes, the "nagios" user can replace a specific file with a symlink,
and then the init script will chown the target of that symlink to the
"nagios" user the next time it is run.

A fix for this was released:

https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1

Largely it consists of passing "-h" to chown, preventing chown from
following symlinks. And yet symlinks are not the only kind of link.
Chown will follow the other kind, too, meaning that the fix in that
commit is insufficient. I'm able to pull off the same sort of attack.

I sent a note to the Nagios maintainer a few minutes ago, but I don't
know what the best course of action is regarding the CVE. Start a new
one? Amend the existing one? Pretend it never happened because it's
Christmas?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ