Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Jan 2018 11:29:14 -0500
From: Michael Orlitzky <michael@...itzky.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-18078: systemd-tmpfiles root privilege
 escalation with fs.protected_hardlinks=0

On 01/29/2018 11:13 AM, Florian Weimer wrote:
> On 01/29/2018 05:09 PM, Michael Orlitzky wrote:
>> Correction to the CVE-ID: it's 2017, not 2018. So CVE-2017-18078.
> 
> Isn't it a duplicate of CVE-2013-4392?
> 

They look pretty similar. The symlink issue was fixed as far as I can
tell -- I tried to exploit them, and failed. The tmpfiles code is using
a clever trick:

  xsprintf(fn, "/proc/self/fd/%i", fd);
  ...
  if (chown(fn, ...

On Linux, the proc stuff is magic, and that just does the right thing,
even though a priori it looks like "chown" will follow symlinks.

Hard links were a different story, and there was no attempt made to
avoid them outside of relying on the fs.protected_hardlinks sysctl. So
if the administrator disables that protection, there's no safety net.

Did you cover the hard link problem in CVE-2013-4392, too? Regardless,
there is now some extra protection built-in to tmpfiles to reduce the
risk when the sysctl is disabled.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ