By Jake Edge
April 15, 2009
A recent patch posted to the linux-kernel
mailing list fixes a long-standing flaw in the Linux capabilities
implementation. The problem has existed since capabilities were added to
the kernel during the 2.1 development series—more than ten years
ago. One of the obvious questions is how a bug of that sort could have
escaped notice for so long.
The problem was reported in March by Igor
Zhbanov,
who provided an excellent analysis of the flaw and how it can be
exploited. The basic problem lives in the VFS and NFS code which tries
to drop privileges, by way of capabilities, before performing operations.
The mask of capabilities bits that was used for that purpose does not include
CAP_MKNOD (the ability to make a device node entry) or
CAP_LINUX_IMMUTABLE
(which allows changing the S_APPEND and S_IMMUTABLE file
attributes). That means that those capabilities bits are not removed
before the
file operation is performed.
Zhabanov shows that on a compromised client machine, the root user could
give another user CAP_MKNOD, which would allow that user to run the
mknod command and create a device entry owned by them. If this was
done on an NFS-mounted filesystem, that entry would be created on the
server still owned by the user. This works even if the
root_squash option—essentially mapping root users on client
machines to "nobody" on the server machine—was used on the export.
If the user on the compromised machine can execute code on the server or
any other client, they can directly access the device that underlies the
device node entry. They will not require any special permissions on the
other machines because the device node is owned by them. For example,
creating the
equivalent of /dev/hda on the server's filesystem might allow
direct access to the hard disk block device on any system that had the
NFS filesystem mounted. Uglier exploits can certainly be imagined.
This is clearly a nasty problem. Linus Torvalds merged the fix for the
recently released 2.6.30-rc2 kernel. One would guess the -stable tree
folks won't be too far behind. Serge Hallyn also provided patches for 2.4 and
2.2 kernels, though the latter has become completely unsupported.
The patch was greeted with a question from
Valdis Kletnieks: "Wow. How did this manage to stay un-noticed for
this long?" Torvalds had a characteristically blunt answer: "Because nobody uses
capabilities?" While that might explain how the bug went undetected
for so long, it doesn't help alleviate the problem. Whether folks are using
capabilities or not is irrelevant, the kernel itself certainly is.
This is not the first time capabilities have been the source of a nasty,
exploitable hole. The unfortunately-named "sendmail-capabilities
bug" provided a way to gain root privileges by exploiting the way
sendmail dropped its privileges. The solution, when this bug was
found in 2000, was to "cripple" capabilities in the kernel by disabling
capability inheritance. That functionality was not restored until
relatively recently.
If distributions and other users were doing more
with capabilities, it does seem likely that this particular problem would
have been seen sometime in the last decade. But, by and large, Torvalds is
right. For one thing, capabilities are a Linux-specific feature, so anyone
writing portable code is likely to avoid using them. In addition, they are
fairly difficult to wrap your head around; that complexity tends to lead
folks to ignore capabilities.
There have been some efforts at using
capabilities in distributions more, but one has to wonder how many more
exploits still lurk in that code. It is hard to imagine removing
capabilities at this late date—it is a user-space interface from the
kernel after all—but some must be wondering if the feature is worth
all the trouble it has caused.
Comments (8 posted)
New vulnerabilities
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | |
| Created: | April 14, 2009 |
Updated: | April 15, 2009 |
| Description: |
From the Ubuntu advisory: It was discovered that ClamAV did not properly
verify buffers when processing Upack files. A remote attacker could send a
crafted file and cause a denial of service via application crash. |
| Alerts: |
|
Comments (none posted)
ghostscript: overflows and underflows
| Package(s): | ghostscript |
CVE #(s): | CVE-2007-6725
CVE-2008-6679
CVE-2009-0196
|
| Created: | April 15, 2009 |
Updated: | August 2, 2010 |
| Description: |
Ghostscript contains a buffer underflow in the CCITTFax decoder (CVE-2007-6725), a buffer overflow in the BaseFont writer module (CVE-2008-6679) and a buffer overflow in the jbig2dec library (CVE-2009-0196). |
| Alerts: |
|
Comments (none posted)
ghostscript: integer overflows
| Package(s): | ghostscript |
CVE #(s): | CVE-2009-0792
|
| Created: | April 9, 2009 |
Updated: | August 2, 2010 |
| Description: |
Ghostscript has multiple integer overflows. The
The
National Vulnerability Database entry states:
Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583. |
| Alerts: |
|
Comments (none posted)
imp4: cross-site scripting
| Package(s): | imp4 |
CVE #(s): | CVE-2009-0930
|
| Created: | April 13, 2009 |
Updated: | April 1, 2010 |
| Description: |
From the Debian advisory:
It was discovered that imp4 is prone to several cross-site scripting
(XSS) attacks via several vectors in the mail code allowing attackers
to inject arbitrary HTML code.
|
| Alerts: |
|
Comments (none posted)
mod_perl: cross-site scripting
| Package(s): | mod_perl |
CVE #(s): | CVE-2009-0796
|
| Created: | April 13, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Mandriva advisory:
Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status
and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP
Server, when /perl-status is accessible, allows remote attackers to
inject arbitrary web script or HTML via the URI (CVE-2009-0796).
|
| Alerts: |
|
Comments (none posted)
ntop: world-writable log file
| Package(s): | ntop |
CVE #(s): | |
| Created: | April 14, 2009 |
Updated: | April 15, 2009 |
| Description: |
/var/log/ntop/access.log is world writeable if the --access-log-file option is used. |
| Alerts: |
|
Comments (none posted)
ntp: arbitrary code execution
| Package(s): | ntp |
CVE #(s): | CVE-2009-0159
|
| Created: | April 14, 2009 |
Updated: | December 9, 2009 |
| Description: |
From the Mandriva advisory: Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
openafs: multiple vulnerabilities
| Package(s): | openafs |
CVE #(s): | CVE-2009-1250
CVE-2009-1251
|
| Created: | April 13, 2009 |
Updated: | January 17, 2011 |
| Description: |
From the Debian advisory:
An attacker with control of a file server or the ability to forge RX
packets may be able to execute arbitrary code in kernel mode on an
OpenAFS client, due to a vulnerability in XDR array decoding.
(CVE-2009-1251)
An attacker with control of a file server or the ability to forge RX
packets may crash OpenAFS clients because of wrongly handled error
return codes in the kernel module. (CVE-2009-1250).
|
| Alerts: |
|
Comments (none posted)
php: denial of service
| Package(s): | php |
CVE #(s): | CVE-2009-1271
|
| Created: | April 10, 2009 |
Updated: | January 6, 2010 |
| Description: |
From the Mandriva advisory: The JSON_parser function (ext/jso/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function. |
| Alerts: |
|
Comments (none posted)
pptp: file permission problem
| Package(s): | pptp |
CVE #(s): | |
| Created: | April 9, 2009 |
Updated: | April 15, 2009 |
| Description: |
pptp has a file permission problem. From the Fedora 10 alert:
This update corrects the behaviour of pptpsetup when its --delete option is
used, retaining the permissions of /etc/ppp/chap-secrets rather than creating a
new file that is likely to be world-readable. If you have previously used the
--delete option of pptpsetup, you should reset the permissions of /etc/ppp/chap-
secrets to their default value of 0600 unless you have good reasons to use
another value: # chmod 600 /etc/ppp/chap-secrets. |
| Alerts: |
|
Comments (none posted)
seamonkey: XSL Transformation vulnerability
| Package(s): | seamonkey |
CVE #(s): | |
| Created: | April 14, 2009 |
Updated: | April 15, 2009 |
| Description: |
See Security
Advisories for SeaMonkey 1.1: SeaMonkey 1.1.16 fixes an XSL
Transformation vulnerability. |
| Alerts: |
|
Comments (none posted)
tor: multiple vulnerabilities
| Package(s): | tor |
CVE #(s): | CVE-2008-5397
CVE-2008-5398
CVE-2009-0414
CVE-2009-0939
CVE-2009-0936
CVE-2009-0937
CVE-2009-0938
|
| Created: | April 9, 2009 |
Updated: | April 15, 2009 |
| Description: |
Tor has a number of vulnerabilities. From the Gentoo alert:
* Theo de Raadt reported that the application does not properly drop
privileges to the primary groups of the user specified via the "User"
configuration option (CVE-2008-5397).
* rovv reported that the "ClientDNSRejectInternalAddresses"
configuration option is not always enforced (CVE-2008-5398).
* Ilja van Sprundel reported a heap-corruption vulnerability that
might be remotely triggerable on some platforms (CVE-2009-0414).
* It has been reported that incomplete IPv4 addresses are treated as
valid, violating the specification (CVE-2009-0939).
* Three unspecified vulnerabilities have also been reported
(CVE-2009-0936, CVE-2009-0937, CVE-2009-0938). |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2009-1210
CVE-2009-1268
CVE-2009-1269
|
| Created: | April 10, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Mandriva advisory:
The PROFINET dissector was vulnerable to a format string overflow (CVE-2009-1210).
The Check Point High-Availability Protocol (CPHAP) dissecto could crash (CVE-2009-1268).
Wireshark could crash while loading a Tektronix .rf5 file (CVE-2009-1269).
|
| Alerts: |
|
Comments (none posted)
wordpress-mu: cross-site scripting vulnerability
| Package(s): | wordpress-mu |
CVE #(s): | CVE-2009-1030
|
| Created: | April 9, 2009 |
Updated: | August 18, 2009 |
| Description: |
From the National Vulnerability Database entry:
Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header. |
| Alerts: |
|
Comments (none posted)
xine-lib: integer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2009-1274
|
| Created: | April 9, 2009 |
Updated: | June 1, 2010 |
| Description: |
From the National Vulnerability Database entry:
Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
