Following up on a previous
overview of Security
Enhanced Linux (SELinux), this article looks more closely at the
implementation of Security Enhanced Linux (SELinux) in
Fedora Core 3 test2 (FC3).
FC3 provides two separate SELinux policies, a default "targeted"
policy and the more restrictive "strict" policy.
The targeted policy
focuses on a handful of specific system daemons and locks down their
access while allowing the rest of the system to run using the standard
Linux security mechanisms. The
FC3 SELinux FAQ
describes the reasoning behind the targeted policy:
Initially, when SELinux was included in Fedora Core, the NSA strict
policy was enforced. For testing purposes, this helped to find hundreds
of problems in the strict policy. In addition, it became obvious that
applying a single strict policy to the many environments of Fedora users
was not feasible. Managing a single strict policy for anything other
than default installation was going to require local expertise.
There are 9 daemons currently handled by the targeted policy, all
network services of various sorts (httpd, named, snmpd, etc.) and more
daemons will be added to the policy in the future.
The top-level configuration file (/etc/selinux/config) for SELinux
on FC3 allows one to choose which of the policies to use and also what
enforcement level to use. In particular, the "permissive" level is
useful for finding problems in the policy for a specific installation as it
just warns when the policy has been violated. Once the policy has been
adjusted, the level can be set to "enforcing," which will cause SELinux
to enforce the policies. In addition, the enforcement level can be set to
"disabled" which effectively turns off SELinux. Any changes made to
the configuration file require a reboot to take effect, but the
enforcement level can be changed in a running system using the
setenforce command.
While changing the enforcement level is painless, the same is not
true for changing policies. SELinux uses the extended attributes
in Linux filesystems to permanently associate a security context with
each file and when changing policies, the attributes of many files in the
filesystem must also be changed. The fixfiles command is
available to traverse the filesystem and make the required changes
based on the information provided in the file_contexts file
associated with the policy. file_contexts maps a regular
expression describing some subtree of the filesystem (possibly down
to an individual file) to a security context and fixfiles
(and the related setfiles command) parse this file and
set the attributes appropriately.
FC3 puts the SELinux configuration in the /etc/selinux directory
and the specifics for each policy in
/etc/selinux/<policyname>. For example:
/etc/selinux/targeted/contexts/file_contexts provides the
security context configuration for files in the targeted policy.
To support examining the security context of various entities in the SELinux
system, the -Z command line parameter has been added to several
standard utilities. The ls, ps, and id commands
have been modified to display the security context of files, processes and
users respectively and are very useful when diagnosing policy issues.
To get a sense of what goes into the policy configuration and how complex
it is, we examined the targeted policy configuration for the
ntpd program.
Once the selinux-policy-targeted-sources package is installed,
the configuration file for ntpd can be found in
/etc/selinux/targeted/src/policy/domains/program/ntpd.te.
This file specifies the access that the daemon will be allowed to have
and should specify all of the system entities (files, sockets, etc.) that
the program needs to access for correct operation. The level of detail
required in this file is rather eye opening:
Types are defined for the drift
file and for the network port used by ntpd
All of the file and directory types
that are used by the daemon are also specified with what access is
granted for each
Read access is granted for the urandom device
Network access is granted
Access to bind to the udp port that it uses and socket creation access for
datagram and stream sockets is granted
Capabilities allowing it to use the nice() system call are granted
etc.
It would appear that a fair amount of work went into figuring out all of
the various pieces that go into this configuration for what, at first
blush, would seem a fairly simple system daemon. Multiply this level of
complexity by the number of daemons in a typical system and one can see
why some critics of SELinux call it too complicated to be useful. On the
other hand, SELinux does provide very fine grained control over access
to system resources and in certain applications, that control is very
desirable.
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user).
php: information disclosure and file upload vulnerabilities
Package(s):
php
CVE #(s):
Created:
October 6, 2004
Updated:
October 6, 2004
Description:
Versions of PHP prior to 4.3.9 suffer from vulnerabilities which can disclose the contents of random memory to an attacker and allow uploads of files to any location writable by the web server.
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and
Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files
which exist outside of the share's defined path. Such files must still be
readable by the account used for the connection.
According to this errata only Samba 3.0.x
<= 3.0.2a contains the exploitable code.
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs.
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN.
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker.
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation.
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux.
The ImageMagick graphics library has several buffer overflow
vulnerabilities that allow an attacker to crash the reading process
by creating mal-formed video or image files in the AVI, BMP, or DIB format.
Three separate vulnerabilities have been identified in the KDE 3.2
"kdebase" package; see this advisory for
details. These problems include two temporary file vulnerabilities and a
"frame injection" problem in konqueror which could help with phishing
attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies
for certain country specific secondary top level domains.
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not).
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written.
Andres Salomon noticed a problem in the CGI session management of Ruby, an
object-oriented scripting language. CGI::Session's FileStore (and
presumably PStore, but not in Debian woody) implementations store session
information insecurely. They simply create files, ignoring permission
issues. This can lead an attacker who has also shell access to the
webserver to take over a session.
Hugo Espuny discovered a problem in sendmail, a commonly used program
to deliver electronic mail. When installing "sasl-bin" to use sasl in
connection with sendmail, the sendmail configuration script use fixed
user/pass information to initialize the sasl database. Any spammer
with Debian systems knowledge could utilize such a sendmail
installation to relay spam.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string.
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
