https://www.halfdog.net/Security/ Halfdog IT-security news channel: an automated way to get new information independent from third parties. The main topics are application and operating system security, secure programming, vulnerability analysis and exploitation, security best practices. en-us Tue, 17 Mar 2015 12:25:00 +0000 Sun, 07 Jan 2018 12:00:00 +0000 60 IT Security Copyright 2015-2017 me at halfdog.net Manually me at halfdog.net @ keep-validator-happy admin at halfdog.net @ keep-validator-happy https://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/ Publication: description of novel approach for completely risk-free exploitation of row-hammer bugs on Linux systems. The D-RamPage POC allows a disk cache page of a critical system component, e.g. a SUID-binary, to be modified again and again until escalation is possible. With proper preparation, this is done without crashing the system when escalation fails. Read more at https://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/ Tue, 17 Mar 2015 12:25:00 +0000 https://www.halfdog.net/Security/index.html#Log20150316-SafeRowhammerPrivilegeEscalation http://www.openwall.com/lists/oss-security/2015/09/03/1 The feature to write back characters to a TTY or pseudo-terminal might be anachronistic today. But as long as it is here, it is always good to make an annoyance, e.g. a leaked file descriptor, or like with OpenSSH wrong permissions, a neat privilege escalation vulnerability. But perhaps this feature is now getting the same treatment as ptrace - making definition of caller context more strict - or even more? See http://www.openwall.com/lists/oss-security/2015/09/03/1 Sat, 5 Sep 2015 07:09:00 +0000 http://www.openwall.com/lists/oss-security/2015/09/03/1#1441436991 https://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/ Publication: Ubuntu comes with apport tool for automatic crash reporting. kernel_crashdump is prone to sym- and hardlink attacks, thus allowing denial of service or local root privilege escalation on some systems. Read more at https://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/ Thu, 24 Sep 2015 05:00:00 +0000 https://www.halfdog.net/Security/index.html#Log20150924-ApportKernelCrashdumpFileAccessVulnerabilities https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ Publication: On some Linux systems, man database comes with cleanup job to remove catman pages created as user man. A hardlink attack combined with TOCTOU-vulnerability allows privilege escalantion. Read more at https://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/ Mon, 14 Dec 2015 00:00:00 +0000 https://www.halfdog.net/Security/index.html#Log20151214-MandbCleanupCronJobyPrivilegeEscalation https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ Publication: On some Linux systems, directories with setgid bit set may be found. If a user not belonging to that group is allowed to write to it, he may escalate privileges to that group as demonstrated with group man on Ubuntu Vivid. Read more at https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ Mon, 14 Dec 2015 00:00:00 +0000 https://www.halfdog.net/Security/index.html#Log20151214-SetgidDirectoryPrivilegeEscalation https://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ Publication: Linux user namespaces overlayfs local root: Overlayfs in user namespaces were missing a permission check, thus allowing to create modified suid binaries to escalate privileges, e.g. on Ubuntu Wily. Read more at https://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/. Sun, 10 Jan 2016 13:00:00 +0000 https://www.halfdog.net/Security/index.html#Log20160110-UserNamespaceOverlayfsSetuidWriteExec https://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ Publication: NTP user root privilege escalation via statsdir daily cronjob: The cronjob script bundled with ntp package on Ubuntu is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory. Various flaws allow to escalate from ntp user to root. Read more at https://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/. Thu, 21 Jan 2016 19:00:00 +0000 https://www.halfdog.net/Security/index.html#Log20160121-NtpCronjobUserNtpToRootPrivilegeEscalation https://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/ Publication: /usr/lib/pt_chown was used to change ownership of slave pts devices in /dev/pts to the same uid holding the master file descriptor for the slave. Another devpts instance mountend within user namespace allows unprivileged user to fool pt_chown to operate on file descriptors from inside namespace but change ownership of device with same number outside the namespace. Read more at https://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/. Mon, 22 Feb 2016 22:14:00 +0000 https://www.halfdog.net/Security/index.html#Log20160222-PtChownArbitraryPtsAccessViaUserNamespace https://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/ Publication: Overlayfs allows to mix content of two filesystems, e.g. read-only medium with r/w RAM-fs. This is also allowed within user namespaces. As overlayfs does not initialize xattr ACLs when copying files, malicious user may gain write access to SGID directories and further gain full member access to that group. As member of group root or staff escalation to user root might be simple. Read more at https://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/. Mon, 22 Feb 2016 22:15:00 +0000 https://www.halfdog.net/Security/index.html#Log20160222-UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation https://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/ Publication: On some systems, e.g. Ubuntu Wily, it is possible to place an USERNS overlayfs mount over a fuse (file system in userspace) mount. Inactive SUID binaries in the user-controllable fuse filesystem may then be copied to other filesystems in copy_up, thus allowing unprivileged users to create arbitrary SUID binaries on the disk. Read more at https://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/. Mon, 22 Feb 2016 22:15:00 +0000 https://www.halfdog.net/Security/index.html#Log20160222-OverlayfsOverFusePrivilegeEscalation https://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ Publication: Aufs is a union filesystem to mix content of different underlying filesystems, e.g. read-only medium with r/w RAM-fs. That is also allowed in user namespaces when module was loaded with allow_userns option. Due to different bugs, aufs in a crafted USERNS allows privilege escalation, which is a problem on systems enabling unprivileged USERNS by default, e.g. Ubuntu Wily. Read more at https://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/. Mon, 22 Feb 2016 22:45:00 +0000 https://www.halfdog.net/Security/index.html#Log20160222-AufsPrivilegeEscalationInUserNamespaces https://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ Publication: Exim4 is started as root but switches to uid/gid Debian-exim/Debian-exim. To regain privileges for mailbox delivery, it may re-invoke exim4 SUID binary. A race in spool directory handling will thus allow any Debian-exim process to escalate to root. Read more at [https://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/]. Thu, 30 Jun 2016 04:00:00 +0000 https://www.halfdog.net/Security/index.html#Log20160630-DebianEximSpoolLocalRoot https://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ Update: The issue was fixed with latest Exim release, see also [https://lists.exim.org/lurker/message/20161225.101705.4bbe7ae8.en.html]. Fri, 30 Dec 2016 00:00:00 +0000 https://www.halfdog.net/Security/index.html#Log20160630-DebianEximSpoolLocalRoot-Followup20161230 https://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ In the last days, I observed increased interest in this topic. As those subtle POSIX specification inconsistencies and kernel bugs are quite old and exploitation technique variations are numerous, e.g. using USERNS, overlayfs, fuse, ..., this might whole story might haunt various systems for quite some time. Here [0] is a nice example, how this tools are used in the wild - as machines are still vulnerable - BUT you might notice: final exploitation was not even attempted. So to the script kiddies do not stop, when you see the first "uid=0" line on the console. Read articles/POCs to the end because root in USERNS is NOT real root! [0] https://medium.com/@3wem/pluck-d5d1c05ab2e0 Sat, 18 Mar 2017 00:00:00 +0000 https://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/?rssGuid=20170318 https://www.halfdog.net/Security/#Log20161230-GuerillaBackup GuerillaBackup is designed to be a lightweight, resilient, distributed backup and archiving solution with security in mind. It allows to build own backup and transfer flows with one-way data encryption at source, support for GDPR-compliant logfile archiving, transfer without requiring remote code execution capable access to machines and high network bandwith. The Debian inclusion is ongoing, see [0], also the best source for the packages. The documentation and sources are here [1], excluding the changes currently in Debian review process. [0] https://mentors.debian.net/package/guerillabackup [1] https://github.com/halfdog/guerillabackup Mon, 11 Dec 2017 00:00:00 +0000 https://www.halfdog.net/Security/#Log20161230-GuerillaBackup?rssGuid=20171211 https://www.halfdog.net/Security/#Log20171225-SshAgentGroupPrivEsc ssh-agent on Debian from the openssh-client is a set-group-id binary to prevent ptracing. While the anti-ptrace measures are still effective, ssh-agent itself can be used to gain access to the group 'ssh' via the OpenSSL library. As the group is only used by the agent, this seems not cause any further security implications. Read more at https://www.halfdog.net/Security/2017/SshAgentGainGroupPrivileges/ ... Mon, 25 Dec 2017 12:00:00 +0000 https://www.halfdog.net/Security/#Log20171225-SshAgentGroupPrivEsc?rssGuid=20171225 https://www.halfdog.net/Security/#Log20180108-OpensshSftpChrootCodeExecution The sftp component from OpenSSH provides a chroot-feature for hardening. It is stated in documentation, that the chroot root directory must not be writable. This page documents some analysis results following discussion on openssh-dev mailing list. Some people were questioning the read-only restriction. Here should be some arguments, why it still makes sense in 2018. Read more at https://www.halfdog.net/Security/2018/OpensshSftpChrootCodeExecution/ ... Sun, 07 Jan 2018 12:00:00 +0000 https://www.halfdog.net/Security/#Log20180108-OpensshSftpChrootCodeExecution?rssGuid=20180107 https://www.halfdog.net/Security/#Log20180111-LibcRealpathBufferUnderflow Current glibc6 implementation contains an exploitable buffer underflow in realpath() when Linux kernel getcwd() returns a path not starting with a slash. When exploited, privilege escalation is possible as demonstrated with Ubuntu/Stretch umount. Read more at https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ ... Thu, 11 Jan 2018 21:30:00 +0000 https://www.halfdog.net/Security/#Log20180111-LibcRealpathBufferUnderflow?rssGuid=20180111 https://www.halfdog.net/Security/#Log20180111-LibcRealpathBufferUnderflow Finally releasing the escalation PoC 17 days after informing distros and 5 days after disclosure. It is intended as demonstration of ASLR-aware exploitation techniques. Relative binary offsets may be different for various Linux distributions and builds. Please send me a patch when you developed a new set of parameters and want to contribute them. Read more at https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ ... Tue, 16 Jan 2018 18:45:00 +0000 https://www.halfdog.net/Security/#Log20180111-LibcRealpathBufferUnderflow?rssGuid=20180116