It has taken nearly four years for Security Enhanced Linux (SELinux) to
make its way into some of the more mainstream distributions, but that process
is accelerating. First released by the US National Security Agency (NSA),
in December 2000, SELinux has been incorporated into Fedora Core 2 (and the
test versions of Fedora Core 3), Debian and Gentoo and will likely see more
distributions that support it and more deployments in the future. It
seems like a good time to take an in-depth look at how SELinux can
increase the security of Linux.
Linux, like UNIX, has its security based on what is known as
Discretionary Access Control (DAC) which means that access to objects
is governed by the identity of an authenticated user.
It is discretionary because the user can
(sometimes unwittingly) pass their permissions to others on the system.
A simple "chmod a+w somefile" is an example of a command that
a Linux user can execute that opens up permissions on a file to all
other users in the system.
In addition, any program that is run by a user has at least the
permissions of that user.
This allows malicious, badly configured, or exploitable programs to use
the full permissions of the user executing them and can lead to unexpected
security breaches.
If, for example, the cat program had an exploitable
buffer overrun bug and a particular file could trigger that bug and cause
it to delete the files in a user's home directory, standard Linux access
control would not prevent it. Any user that could be tricked into
executing cat badfile would be susceptible.
SELinux, on the other hand, uses a Mandatory Access Control (MAC)
mechanism that seeks to only allow a program the access it needs to do
its job and not all the access that the user running it has. In the
example above, cat could be configured to only have read
access to any files that the user has read access to
and any attempt to write or delete any file in the system
would be prevented. The administrator can prevent programs from having
unneeded access and only allow the user to grant that portion of their
access that is needed by the normal functioning of the program.
MAC embodies the idea that "those things which are not explicitly
permitted are forbidden."
At its core, SELinux defines a security attribute called a type
and assigns types to various resources
handled by the kernel: processes, files, directories, sockets, etc.
The usage of the term type is unfortunate in that it implies all files
would be one type, all directories another, etc. This is not the case
as each individual resource could have its own type.
Each type in the system is associated with a set of rights for
each other type in the system and
those rights govern what kinds of operations can be performed.
This model is known as Type Enforcement (TE) and is the subject of a
patent granted to Secure Systems Corp. (SSC), one of the contractors that
worked with the NSA on parts of SELinux. At one time there were concerns
that the patent would preclude SELinux from being distributed under the
GPL, but the SSC
Statement of Assurance
seems to have alleviated those concerns.
SELinux augments the traditional TE model with the
addition of Role-Based Access Control (RBAC). Instead of directly
associating a user with a type, RBAC associates users with one or more
roles in the system and associates one or more types with each of
those roles.
The permissions checks are still handled by the TE system and RBAC just
provides a simpler way to manage users.
SELinux provides a much richer set of permissions than the
read, write, execute permissions that UNIX users are used to. There
are separate permissions that govern all of the kinds of operations
you can do on a file (create, delete, rename, unlink, etc.) as well as
specific kinds of permissions for directories, sockets, semaphores, etc.
Permissions are stored as bits in an access vector and SELinux has three
types of these vectors: allowed, auditallow, and auditdeny. The allowed
vector governs whether the operation is permitted. Auditallow and auditdeny
determine whether the operation is logged if it is allowed or denied.
It should be noted that all of the permissions checking that is done by
SELinux is done after the normal Linux permissions checks are performed.
If a user cannot read a file due to the rwx permissions, the
SELinux access control mechanism is not consulted.
One would guess that with all of this fine-grained control over permissions,
SELinux would be very complex to set up and that would be true, but the
NSA and the distributions have done a great deal of the necessary
groundwork. As part of
their release, the NSA also released policy definitions to be used as a
starting point for SELinux administrators. Various distributions have
tweaked these definitions for their specific needs, but it is still a very
complex and somewhat fragile framework. This author had difficulty with
various cron jobs on a Fedora Core 2 SELinux system and the
mailing list
archives have quite a few queries from administrators trying to get
the permissions set correctly for their specific needs. Based on this
message it would appear that Fedora Core 3
has ratcheted down
the checking that SELinux will do in the default install.
An upcoming article will give a more "hands-on" approach to exploring SELinux
using Fedora Core 3 test2 including looks at the policies defined and how
they are used to provide more protection than a standard Linux installation.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
The glFTPd server is vulnerable to a buffer overflow in the 'dupescan'
program. This vulnerability is due to an unsafe strcpy() call which can
cause the program to crash when a large argument is passed. A local user
with malicious intent can pass a parameter to the dupescan program that
exceeds the size of the buffer, causing it to overflow. This can lead the
program to crash, and potentially allow arbitrary code execution with the
permissions of the user running glFTPd, which could be the root user.
The ImageMagick graphics library has several buffer overflow
vulnerabilities that allow an attacker to crash the reading process
by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details.
SnipSnap, a content management system, is vulnerable to several "HTTP response splitting" attacks, leading to cross-site scripting and cache poisoning problems. Version 1.0_beta1 fixes things.
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN.
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker.
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation.
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
Apache httpd has a denial of service vulnerability in mod_ssl in which
an attacker can force
an SSL connection to abort, resulting in the Apache child process entering
an infinite loop. This affects httpd versions up to and including
2.0.50.
Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux.
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains.
During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances - such as when the files are exported via NFS.
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execute arbitrary
code. See CAN-2004-0642, CAN-2004-0643 and CAN-2004-0772. An infinite
loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote
attacker may be able to trigger this flaw and cause a denial of
service. See CAN-2004-0644. See this CERT
advisory for additional information.
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not).
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written.
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session.
There is a defect in smbd's ASN.1 parsing. A bad packet received during
the authentication request could throw newly-spawned smbd processes
into an infinite loop (CAN-2004-0807). Another defect was found in
nmbd's processing of mailslot packets, where a bad NetBIOS request
could crash the nmbd process (CAN-2004-0808). See this advisory for details.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string.
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information.
SUS is a suid root program that allows ordinary users the execution of
certain programs with superuser privileges. SUS is run by default as setuid
root. A simple format string bug in the log() function allows any local
user to gain root privileges. See this
BugTraq advisory for more information.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
There is an input validation bug in the webmail feature of Usermin.
Additionally, the Webmin and Usermin installation scripts write to
/tmp/.webmin without properly checking if it exists first.
The first vulnerability allows a remote attacker to inject arbitrary
shell code in a specially-crafted e-mail. This could lead to remote
code execution with the privileges of the user running Webmin or
Usermin.
The second could allow local users who know Webmin or Usermin is going
to be installed to have arbitrary files be overwritten by creating a
symlink by the name /tmp/.webmin that points to some target file, e.g.
/etc/passwd.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Michal Zalewski has announced the availability of "fakebust," which is "a simple, open-source, user-friendly, intuitive and very rapid malicious
code analyzer that can partly replace and in certain aspects outperform an
expensive, strictly controlled sandbox setup."
NGS has released a new white paper entitled "The Phishing Guide." "This paper covers the technologies and security flaws Phishers exploit to
conduct their attacks, and provides detailed vendor-neutral advice on what
organisations can do to prevent future attacks."
