Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <83ad8e1c-c317-49f1-8bbb-b613b48263f9@redhat.com>
Date: Mon, 11 Sep 2017 14:22:12 -0600
From: "kseifried@...hat.com" <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, Michael Orlitzky <michael@...itzky.com>
Cc: Daniel Kahn Gillmor <dkg@...thhorseman.net>
Subject: Re: CVE-2017-12847: nagios-core privilege escalation
 via PID file manipulation



On 2017-09-11 01:58 PM, Michael Orlitzky wrote:
> On 09/07/2017 12:22 PM, Daniel Kahn Gillmor wrote:
> It's just me as far as I know. I stumbled onto this by accident while
> cleaning up an OpenRC init script that was shipped as part of an
> upstream package. I updated it, and then noticed that my init script was
> vulnerable to the PID file trick. Then I realized that everybody else
> has the same problem.
> 
> You probably need a human to make the final decision on whether or not
> an init script is vulnerable, but my lame heuristic so far has been
> hilariously accurate: does the init script mess with file/directory
> ownership? If so, it's probably vulnerable to *something*.

Another note on init scripts and related, rpm and dpkg
postinstall/preinstall/etc, as a rule if it does anything with:

chmod
chown
chgrp
touch
head
tail
cat
"/etc/pki/"
"/tmp/"
"/dev/random"
"/dev/urandom"
cert commands from openssl, gnutls or nss
a pile of other things (you start to get the idea)

There is a semi good chance either something is going wrong security
wise, or it should be part of first run (e.g. things that generate a
certificate or a key, if you do that in the install/postinstall scripts
all your containers have the same secret, if you do it on first run
(typically as part of the app itself, or part of the init scripts) then
it's unique per instance. Some examples:

CVE-2016-4980 CVE-2016-4982 CVE-2016-4983 CVE-2016-4984

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.