Date: Wed, 1 Dec 2021 12:52:18 +0100 From: Jens Timmerman <jens@...et.be> To: oss-security@...ts.openwall.com Subject: Re: IMA gadgets On 11/30/21 22:27, Grant Taylor wrote: > >> This means an attacker can turn any binary into a SUID binary. The >> signatures do not cover these file attributes, so they will still >> verify. > > It may be possible to add SUID and / or capabilities to a signed file. > But I have to question how such a questionable non-SUID binary would > be given a signature in the first place? Or asked another why, why > would a questionable file be given a IMA signature in the first place? An attacker doesn't need to SUID a questionable binary, just any binary that would then allow to execute commands. e.g. /usr/bin/bash or less obvious but still obvious perl, python, vim, sudoedit, and 100's of other default tools that could be used to an attackers advantage once they are SUID.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.