Date: Sun, 12 Aug 2012 23:49:46 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Jason A. Donenfeld" <Jason@...c4.com> Subject: Re: Tunnel Blick: Multiple Vulnerabilities to Local Root and DoS (OS X) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/11/2012 09:31 AM, Jason A. Donenfeld wrote: > Hi, > > Tunnel Blick, a popular OpenVPN manager for Macintosh, has several > vulnerabilities in an SUID helper. I'm not sure if this is the > place to report vulnerabilities in Macintosh software, but Tunnel > Blick is open source. > > From the bug report  on the vulnerable code : > > 1. A race condition in file permissions checking can lead to local > root. (PoC: ) > > 2. Insufficient checking of merely 0:0 744 can lead to local root > on systems with particular configurations. > > 3. Insufficient validation of path names can allow for arbitrary > kernel module loading, which can lead to local root. > > 4. Insufficient validation of path names can allow execution of > arbitrary scripts as root, leading to local root. (PoC: ) > > 5. Insufficient path validation in errorExitIfAttackViaString can > lead to deletion of files as root, leading to DoS. > > 6. Allowing OpenVPN to run with user given configurations can lead > to local root. > > Left one out. > > 7. Race condition in process killing. Sorry maybe it's just late but I'm not finding any links to the vulnerable code/fixed code which makes it difficult to verify these issues. If you could put links to the affected code/lines so I can quickly verify that would be helpful. E.g. I might need to merge some of these (#3 and #4 and #5 for example are all input validation?). > Thanks, Jason > >  http://code.google.com/p/tunnelblick/issues/detail?id=212  > http://code.google.com/p/tunnelblick/source/browse/trunk/tunnelblick/openvpnstart.m?r=2095 > >  http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker.c >  > http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker-for-kids.sh > > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQKJV6AAoJEBYNRVNeJnmTUKoP/RFPVbuAKsrTOKea0fbSVXA5 gVqmHHuK0vEmJfi4HaUhKUsV5Vx+fq08TR+16CCYhCJwfZhzPcUPSYyswaXuP0Wi ZR8d+/jRPxRssBNeHkOey6ec2SaVwCJtVjnpaJAz0URE9421DX8217J9daOxcpK9 WVelp+jJuye9n5ykezGIg/dufZ3LMvZmdDHaD7Wce7Lx3dfvSSjSjwZZAPM36uzY WpTdil0pvv/wmmN4tECUOCC2oEaroJc8iKQa3/U3RHFUtIPRvNanS++uKmVgNSrk FP/xZie4TrduciHxTPUEfx3ubiLEqQO0Xm90EU6l6zesIqeNSxt7O42V9UX0ukk4 6PqkC/u/NbGfxm+W+GGOuN0HHEhl0Xvpq/kUKSIqCVHchEeWP/S59VbM48/0MhEC kWpbaKrOEfA9RG9uChYRiM3B4AO71yCRCksy+8QcvlOldoVnbGA239+aQ82CbCr3 JC+rDJyViyzj7p06cF03lZ6WZ5zgbRBtp6Ijn7MXRV55fpYuCIyC83js9Mp6DZaT +wnUM0iy5CzbKXUmcslw3//t6QO3+aVD0hiYK4HrjUYq4rwY+E8IYd5Hn5F7Tim5 rgrghd56GMe4cBn03/GUs6xVourQdUjyObN3MuLl+I8B9st34+AM0eSLvEeF+shE yXjS0VBOlI2YOK46f/DK =D+SB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.