Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20230418005741.GA25557@openwall.com>
Date: Tue, 18 Apr 2023 02:57:41 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Ruihan Li <lrh2000@....edu.cn>, "Todd C. Miller" <Todd.Miller@...o.ws>
Subject: Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution

Hi,

Thank you Ruihan Li for finding and handling this vulnerability so well,
and for the detailed write-up.

When discussing this on linux-distros a week ago, I wrote:

> Regarding the vulnerability itself, do you think it'd be a good idea to
> also inform the maintainer of sudo?  My thinking is that sudo could be
> hardened not to trigger ioctl's (which I guess it does via tcgetattr()
> or such?) while having euid=0 (and thus root's typical capabilities) -
> it could temporarily seteuid(uid), then switch back due to saved uid.
> 
> Did you identify (m)any other programs usable for this attack?  I guess
> some with functionality "similar" to sudo's could also be "affected"
> (there are several implementations of su in different packages for
> Linux, pkexec, various container entry tools).

And indeed Ruihan Li came up with the list of other likely usable
programs on a typical Linux distro, which makes the point of hardening
only sudo moot, and so we decided to postpone further discussion until
this is public on oss-security.

OTOH, not all distros are typical.  Besides Android, we got rid of all
SUID binaries in default install of Owl over a decade ago.  While Owl is
now effectively EOL'ed, some of its legacy lives on in ALT Linux
distros, which are maintained, and other distros can do similar - it's
primarily a matter of caring to do it or not.  We did not package sudo
in Owl, but if someone were to install it then it'd be the only program
exposing this kernel vulnerability.  So in that case, hardening sudo
would have helped.

On Sun, Apr 16, 2023 at 10:57:27PM +0200, Steffen Nurpmeso wrote:
> So this general beating onto SETUID or super capable programs
> smells like bad fish Hollywood boom-boom again, no?

That lengthy list of them is actually in defense of sudo not having been
hardened in this respect - it shows that this would not matter on a
typical Linux system anyway.

> You have to do some things, and if you give up privileges
> thereafter, extended capabilities are gone.

POSIX saved IDs should help retain/regain the capabilities.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.