User: Password:
|
|
Subscribe / Log in / New account

suid-binary vulnerabilities

suid-binary vulnerabilities

Posted Oct 28, 2010 14:58 UTC (Thu) by RobSeace (subscriber, #4435)
In reply to: suid-binary vulnerabilities by marcH
Parent article: Two glibc vulnerabilities

Well, the hole becomes less serious when exploited, but I wouldn't say it was
"plugged", really... Now, successfully exploitation just gets you the ability
to create raw sockets instead of full root... But, raw sockets aren't really
something you want to give to an untrusted user to play with, either...

But, yeah, it'd still be better than giving them root, so yeah, why isn't this
done if it's possible?


(Log in to post comments)

suid-binary vulnerabilities

Posted Oct 28, 2010 15:21 UTC (Thu) by ccurtis (guest, #49713) [Link]

Looks like Fedora 15 is going to try it.

http://fedoraproject.org/wiki/Features/RemoveSETUID

suid-binary vulnerabilities

Posted Oct 28, 2010 19:44 UTC (Thu) by dlang (subscriber, #313) [Link]

they are not fundamentally changing anything, they are just moving from a single suid bit to a array of individual capibilities. This still lets a user execute a program that will have more privilages than the user with whatever environment the user defines.

suid-binary vulnerabilities

Posted Oct 29, 2010 11:00 UTC (Fri) by marcH (subscriber, #57642) [Link]

Still looks like a major improvement to me.

suid-binary vulnerabilities

Posted Oct 28, 2010 22:04 UTC (Thu) by kees (subscriber, #27264) [Link]

This just slightly reduces the attack surface, but doesn't fundamentally solve the problem (vulnerabilities like this in the loader are extremely dangerous). There will still be things with CAP_SETUID. Here's Tavis's $ORIGIN attack, unchanged except modified to target /bin/su instead of /bin/ping, and with the proposed change made to /bin/su (drop setuid, gain CAP_SETUID):

[kees@fedora-13-i686 ~]$ ls -la /bin/su
-rwxr-xr-x. 1 root root 29292 Feb 12 2010 /bin/su
[kees@fedora-13-i686 ~]$ getcap /bin/su
/bin/su = cap_setuid+ep
[kees@fedora-13-i686 ~]$ ./glibc-ld_audit-origin.sh
[root@fedora-13-i686 ~]# id
uid=0(root) gid=500(kees) groups=0(root),500(kees) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

suid-binary vulnerabilities

Posted Oct 29, 2010 10:27 UTC (Fri) by marcH (subscriber, #57642) [Link]

Please be fair and compare CAP_NET_RAW with CAP_SETUID..

suid-binary vulnerabilities

Posted Oct 29, 2010 11:49 UTC (Fri) by kees (subscriber, #27264) [Link]

Why? If this is about whole-system security, there will still be binaries with CAP_SETUID (su, sudo, newrole, seunshare, etc). It absolutely reduces the attack surface in general, but linker vulnerabilities will remain a serious problem. Removing the setuid bit is a great idea for reducing the impact of bugs in the setuid program itself, though.

suid-binary vulnerabilities

Posted Oct 29, 2010 11:52 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

"Removing the setuid bit is a great idea for reducing the impact of bugs in the setuid program itself, though"

Precisely, the goal.

suid-binary vulnerabilities

Posted Oct 29, 2010 13:41 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Why? If this is about whole-system security, there will still be binaries with CAP_SETUID (su, sudo, newrole, seunshare, etc).

"Let's not bother making the windows more secure, because the front door sucks anyway".

Actually, let's bother. Because it's progress:
- progress towards the entire perimeter being finally secured.
- some malware knows only about windows. Being hacked once a month is progress compared to twice.

> It absolutely reduces the attack surface in general,...

Agreed!

suid-binary vulnerabilities

Posted Oct 29, 2010 15:14 UTC (Fri) by kees (subscriber, #27264) [Link]

Right, I don't meant to say it shouldn't be done. Getting rid of the setuid bit is a great goal. I was just trying to point out that it does not solve problems like those recently found in glibc. It _does_, of course, kill a whole separate set of problems, and I love that. :) I just don't want people to think dropping setuid bits is a magic bullet for solving all local privilege escalations.

suid-binary vulnerabilities

Posted Oct 28, 2010 17:05 UTC (Thu) by jreiser (subscriber, #11027) [Link]

why isn't this done if it's possible? There are [have been] bigger fish to fry.

suid-binary vulnerabilities

Posted Oct 28, 2010 18:53 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

Oh, and I just realized that if a system were to do this for all setuid binaries,
then it would be very important for the linker to treat these "enhanced capability"
programs just as it would setuid/setgid programs... Ie: don't allow $LD_PRELOAD
and such... Otherwise, of course, it would be trivial for anyone to gain their
enhanced capabilities... Which, while not as bad as gaining root, is still not
something you want to make trivially easy to do...

suid-binary vulnerabilities

Posted Oct 28, 2010 19:55 UTC (Thu) by spender (subscriber, #23067) [Link]

This is exactly what the AT_SECURE auxv entry already does.

-Brad


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds