Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5028957A.5090409@redhat.com>
Date: Sun, 12 Aug 2012 23:49:46 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Jason A. Donenfeld" <Jason@...c4.com>
Subject: Re: Tunnel Blick: Multiple Vulnerabilities to Local
 Root and DoS (OS X)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/11/2012 09:31 AM, Jason A. Donenfeld wrote:
> Hi,
> 
> Tunnel Blick, a popular OpenVPN manager for Macintosh, has several 
> vulnerabilities in an SUID helper. I'm not sure if this is the
> place to report vulnerabilities in Macintosh software, but Tunnel
> Blick is open source.
> 
> From the bug report [1] on the vulnerable code [2]:
> 
> 1. A race condition in file permissions checking can lead to local
> root. (PoC: [3])
> 
> 2. Insufficient checking of merely 0:0 744 can lead to local root
> on systems with particular configurations.
> 
> 3. Insufficient validation of path names can allow for arbitrary 
> kernel module loading, which can lead to local root.
> 
> 4. Insufficient validation of path names can allow execution of 
> arbitrary scripts as root, leading to local root. (PoC: [4])
> 
> 5. Insufficient path validation in errorExitIfAttackViaString can
> lead to deletion of files as root, leading to DoS.
> 
> 6. Allowing OpenVPN to run with user given configurations can lead
> to local root.
> 
> Left one out.
> 
> 7. Race condition in process killing.

Sorry maybe it's just late but I'm not finding any links to the
vulnerable code/fixed code which makes it difficult to verify these
issues. If you could put links to the affected code/lines so I can
quickly verify that would be helpful. E.g. I might need to merge some
of these (#3 and #4 and #5 for example are all input validation?).

> Thanks, Jason
> 
> [1] http://code.google.com/p/tunnelblick/issues/detail?id=212 [2]
> http://code.google.com/p/tunnelblick/source/browse/trunk/tunnelblick/openvpnstart.m?r=2095
>
> 
[3] http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker.c
> [4]
> http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker-for-kids.sh
>
> 
- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQKJV6AAoJEBYNRVNeJnmTUKoP/RFPVbuAKsrTOKea0fbSVXA5
gVqmHHuK0vEmJfi4HaUhKUsV5Vx+fq08TR+16CCYhCJwfZhzPcUPSYyswaXuP0Wi
ZR8d+/jRPxRssBNeHkOey6ec2SaVwCJtVjnpaJAz0URE9421DX8217J9daOxcpK9
WVelp+jJuye9n5ykezGIg/dufZ3LMvZmdDHaD7Wce7Lx3dfvSSjSjwZZAPM36uzY
WpTdil0pvv/wmmN4tECUOCC2oEaroJc8iKQa3/U3RHFUtIPRvNanS++uKmVgNSrk
FP/xZie4TrduciHxTPUEfx3ubiLEqQO0Xm90EU6l6zesIqeNSxt7O42V9UX0ukk4
6PqkC/u/NbGfxm+W+GGOuN0HHEhl0Xvpq/kUKSIqCVHchEeWP/S59VbM48/0MhEC
kWpbaKrOEfA9RG9uChYRiM3B4AO71yCRCksy+8QcvlOldoVnbGA239+aQ82CbCr3
JC+rDJyViyzj7p06cF03lZ6WZ5zgbRBtp6Ijn7MXRV55fpYuCIyC83js9Mp6DZaT
+wnUM0iy5CzbKXUmcslw3//t6QO3+aVD0hiYK4HrjUYq4rwY+E8IYd5Hn5F7Tim5
rgrghd56GMe4cBn03/GUs6xVourQdUjyObN3MuLl+I8B9st34+AM0eSLvEeF+shE
yXjS0VBOlI2YOK46f/DK
=D+SB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.