|
|
| |
|
| |
Security
By Jake Edge
December 2, 2009
Just days after FreeBSD 8.0 was released,
the FreeBSD developers were undoubtedly unhappy to see a "zero day" exploit posted on the Bugtraq
mailing list. The exploit is for a local privilege escalation
vulnerability in the runtime loader (rtld) that allows unprivileged users
to become root. The vulnerability and patch highlight
the need for code—particularly security enforcing code—to check
the return values of functions that get called.
The exploit essentially creates a broken environment, such that
unsetenv() cannot delete variables from that environment. Because
unsetenv() is unable to remove variables like LD_PRELOAD
from the environment, rtld fails to do so when running a
setuid(0) binary such as ping. But, as the patch shows,
rtld could have recognized the situation by checking the return value from
unsetenv(). By not doing so, a security feature can easily be
circumvented.
LD_PRELOAD allows users to specify libraries they want
loaded before the executable. This is typically used to load previous
versions, debugging aids (like malloc()/free() tracking),
and things of that sort.
Clearly setuid() binaries should not be linked to arbitrary,
user-controlled
libraries at runtime. In the case of the exploit, the shared library used
simply spawns a shell from the _init() call. That shell has the
effective user id of root because the loader kernel has already called
setuid() for the ping binary.
It is common for programmers to ignore return values for functions that
"can't fail", but that is a dangerous practice. It is worse when it
happens in code that runs with privileges. Something similar occurred with
the (badly named) "sendmail
capabilities bug", which was really a problem with the Linux kernel
capabilities implementation. But, had sendmail been more defensive and
checked the return code from setuid() when it was dropping
privileges—something that "can't fail"—a much bigger problem
would have been averted.
If the person writing the system or library call believed that the call
can't fail, they would presumably have made it a void function.
That's not to say that those programmers—or committees like
POSIX—are immune from bugs or bad
decisions, but callers should heed their intent. It's a difficult problem,
though, as it is sometimes unclear what the program should do if something
that can't fail does fail. Worse yet, without some kind of
comprehensive fault-injection framework, those error paths are difficult to
test. But, at least for privileged code, the problem can't be ignored.
This particular problem has existed in FreeBSD since version 7.0, released
in February 2008. A pre-advisory with the
patch was released by FreeBSD within a few hours of the Bugtraq posting.
A full advisory and update is expected soon. In the meantime, this should
serve as something of an object lesson for others; hopefully that will lead
to developers scrutinizing existing code for similar issues, while also
helping to remind programmers not to make that kind of mistake in any
future code they write.
Comments (32 posted)
Brief items
Light Blue Touchpaper previews a paper [PDF] describing the Open Vote Network protocol that would allow anonymous voting under a system of total communications surveillance. " In the Open Vote Network protocol, all communication data is open, and publicly verifiable. The protocol provides the maximum protection of the voter's privacy; only a full collusion can break the privacy. In addition, the protocol is exceptionally efficient. It compares favorably to past solutions in terms of the round efficiency, computation load and bandwidth usage, and has been close to the best possible in each of these aspects."
Comments (41 posted)
New vulnerabilities
awstats: missing security key
| Package(s): | awstats |
CVE #(s): | |
| Created: | December 1, 2009 |
Updated: | December 2, 2009 |
| Description: |
From the Red
Hat bugzilla:
Advanced Web Statistics (awstat) upstream has released new (6.95) version,
addressing two security related issues. Quoting from awstats Changelog:
- Fix security in awredir.pl script by adding a security key required by
default.
- Enhance security of parameter sanitizing function.
|
| Alerts: |
|
Comments (none posted)
bind: DNS cache poisoning
| Package(s): | bind |
CVE #(s): | CVE-2009-4022
|
| Created: | November 27, 2009 |
Updated: | June 28, 2010 |
| Description: |
From the Mandriva advisory:
Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5
before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3,
and 9.0.x through 9.3.x with DNSSEC validation enabled and checking
disabled (CD), allows remote attackers to conduct DNS cache poisoning
attacks via additional sections in a response sent for resolution
of a recursive client query, which is not properly handled when the
response is processed at the same time as requesting DNSSEC records
(DO). |
| Alerts: |
|
Comments (none posted)
dovecot: authentication bypass
| Package(s): | dovecot |
CVE #(s): | CVE-2009-3897
|
| Created: | November 30, 2009 |
Updated: | January 19, 2010 |
| Description: |
From the Mandriva advisory:
Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of
certain directories at installation time, which allows local users to
access arbitrary user accounts by replacing the auth socket, related
to the parent directories of the base_dir directory, and possibly
the base_dir directory itself (CVE-2009-3897).
|
| Alerts: |
|
Comments (none posted)
dstat: arbitrary code execution
| Package(s): | dstat |
CVE #(s): | CVE-2009-3894
|
| Created: | November 25, 2009 |
Updated: | December 28, 2009 |
| Description: |
From the Gentoo advisory:
Robert Buchholz of the Gentoo Security Team reported that dstat
includes the current working directory and subdirectories in the Python
module search path (sys.path) before calling "import".
A local attacker could entice a user to run "dstat" from a directory
containing a specially crafted Python module, resulting in the
execution of arbitrary code with the privileges of the user running the
application.
|
| Alerts: |
|
Comments (none posted)
kdelibs: arbitrary code execution
| Package(s): | kdelibs |
CVE #(s): | CVE-2009-0689
|
| Created: | November 25, 2009 |
Updated: | June 14, 2010 |
| Description: |
From the Red Hat advisory:
A buffer overflow flaw was found in the kdelibs string to floating point
conversion routines. A web page containing malicious JavaScript could crash
Konqueror or, potentially, execute arbitrary code with the privileges of
the user running Konqueror. (CVE-2009-0689)
|
| Alerts: |
|
Comments (none posted)
libtool: privilege escalation
| Package(s): | libtool |
CVE #(s): | CVE-2009-3736
|
| Created: | November 30, 2009 |
Updated: | March 3, 2011 |
| Description: |
From the Mandriva advisory:
All versions of libtool prior to 2.2.6b suffers from a local
privilege escalation vulnerability that could be exploited under
certain conditions to load arbitrary code (CVE-2009-3736).
|
| Alerts: |
|
Comments (none posted)
php: denial of service, arbitrary code execution
| Package(s): | php5 |
CVE #(s): | CVE-2009-4017
CVE-2009-4018
|
| Created: | November 27, 2009 |
Updated: | February 23, 2010 |
| Description: |
From the Ubuntu advisory:
Bogdan Calin discovered that PHP did not limit the number of temporary
files created when handling multipart/form-data POST requests. A remote
attacker could exploit this flaw and cause the PHP server to consume all
available resources, resulting in a denial of service.
It was discovered that PHP did not properly enforce restrictions in the
proc_open function. An attacker could exploit this issue to bypass
safe_mode_protected_env_vars restrictions and possibly execute arbitrary
code with application privileges. |
| Alerts: |
|
Comments (none posted)
php: information disclosure
| Package(s): | php5 |
CVE #(s): | CVE-2009-2626
|
| Created: | December 1, 2009 |
Updated: | February 23, 2010 |
| Description: |
From the Debian advisory:
A flaw in the ini_restore() function could lead to a memory
disclosure, possibly leading to the disclosure of sensitive data.
|
| Alerts: |
|
Comments (none posted)
php-pear-Mail: information disclosure
| Package(s): | php-pear-Mail |
CVE #(s): | CVE-2009-4023
CVE-2009-4111
|
| Created: | December 1, 2009 |
Updated: | November 3, 2010 |
| Description: |
From the Fedora advisory:
PEAR's Mail class did not properly escape content of mail header fields, when using the sendmail backend. A remote attacker could send an email message, with specially-crafted headers to a local user, leading to disclosure of content and potentially, to modification of arbitrary system file, once the email message was processed by the PEAR's Mail class.
|
| Alerts: |
|
Comments (none posted)
php-pear-Net-Ping: arbitrary code execution
| Package(s): | php-pear-Net-Ping |
CVE #(s): | CVE-2009-4024
|
| Created: | November 25, 2009 |
Updated: | December 14, 2009 |
| Description: |
From the PHP-PEAR advisory:
Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute. |
| Alerts: |
|
Comments (none posted)
php-pear-Net-Traceroute: arbitrary code execution
| Package(s): | php-pear-Net-Traceroute |
CVE #(s): | CVE-2009-4025
|
| Created: | November 25, 2009 |
Updated: | December 2, 2009 |
| Description: |
From the PHP-PEAR advisory:
Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute. |
| Alerts: |
|
Comments (none posted)
poppler: multiple vulnerabilities
Comments (none posted)
roundcube: cross-site request forgery
| Package(s): | roundcubemail |
CVE #(s): | CVE-2009-4076
CVE-2009-4077
|
| Created: | December 2, 2009 |
Updated: | January 19, 2010 |
| Description: |
Roundcube suffers from two cross-site request forgery vulnerabilities which enable attackers to hijack authentication credentials from users. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple arbitrary code execution vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2009-3243
CVE-2009-3549
CVE-2009-3551
|
| Created: | November 25, 2009 |
Updated: | January 12, 2010 |
| Description: |
Dissector problems in TLS (CVE-2009-3243), Paltalk (CVE-2009-3549), and SMB (CVE-2009-3551).
From the Gentoo advisory:
A remote attacker could entice a user to open a specially crafted "erf"
file using Wireshark, possibly resulting in the execution of arbitrary
code with the privileges of the user running the application. A remote
attacker could furthermore send specially crafted packets on a network
being monitored by Wireshark or entice a user to open a malformed
packet trace file using Wireshark, possibly resulting in a Denial of
Service.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|