Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK4o1Wxc8cdz9w59KshLBbON9EA5N-YrZyaVyXD+AstBieTMMg@mail.gmail.com>
Date: Wed, 1 Apr 2015 00:11:18 +0100
From: Justin Cormack <justin@...cialbusservice.com>
To: musl@...ts.openwall.com
Cc: Rich Felker <dalias@...c.org>, busybox <busybox@...ybox.net>
Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817

On 31 March 2015 at 20:07, Denys Vlasenko <vda.linux@...glemail.com> wrote:
> On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <dalias@...c.org> wrote:
>> For details on CVE-2015-1817, see:
>> http://www.openwall.com/lists/musl/2015/03/30/1
>>
>> With musl-linked Busybox installed setuid and ping enabled, exploiting
>> this issue is trivial.
>>
>> While CVE-2015-1817 is certainly musl's fault, there are two changes
>> to Busybox I'd like to propose that would have prevented it from being
>> exploitable:
>>
>> 1. Having setuid utilities like ping obtain the resource they need (in
>>    the case of ping, SOCK_RAW) without processing user input at all,
>>    then fully dropping root (setuid(getuid())) before doing anything.
>>    This has been standard practice for setuid programs since the 90s
>>    and it feels bad that busybox is not doing it.
>
> In general this is acceptable, but with this particular case
> and CVE, it wouldn't help.
>
> create_icmp_socket(lsa) needs to know of which address family
> the socket should be:
>
>         if (lsa->u.sa.sa_family == AF_INET6)
>                 sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
>         else
>                 sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */
>
> This is only known after HOST is parsed.
> And CVE is in DNS resolving code :(

One advantage if the traditional separation of ping and ping6.

>
>> 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
>>    ping, which allows it to run without root.
>
> This seems to lead to a significantly larger code.

Slightly larger code or security holes. Is it really that much bigger?

Justin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.