Security
Calibre and setuid
Programs that regular users can run with root privileges (i.e. setuid programs) are tricky to write correctly, which is why they are best avoided whenever possible. But there are, of course, things that users need to be able to do that require privileges (changing passwords is a canonical example), which is why the setuid/setgid facility exists in Unix. When the need arises, however, a great deal of care should be taken before writing and releasing a program that is meant to be installed as setuid (aka SUID). A recent bug report for the Calibre e-book reader shows the kinds of problems that can come about if proper care is not exercised.
Jason Donenfeld reported several bugs in the setuid calibre-mount-helper program to the project's Launchpad bug tracker on November 1. Essentially, the program is meant to allow Calibre users to mount various removable devices (like e-book readers connected via USB) to update the content on readers. Unfortunately, it suffered from five separate problems that Donenfeld reported, some of which could be easily used as a local privilege escalation—to root.
The problems themselves read like a laundry list of things not to do in a setuid program including not sanitizing user input, not setting the PATH environment variable before calling exec(), and not sanity checking arguments. It's not completely surprising that Calibre got these things wrong, as they are fairly common programming mistakes. For programs running with a user's privileges, those kinds of errors typically just lead to bugs of various sorts (some of which could have fairly catastrophic consequences for the user, but not the system as a whole). For setuid programs, though, errors like those can lead to very serious security holes—as they did here.
Something that was a bit surprising was the combative tone that Calibre's lead developer Kovid Goyal took in the comments on the bug. Rather than working with Donenfeld to see what the problems were, he dismissed most of the bugs as invalid. Even after Donenfeld tried to further point out the problems, Goyal was rather sarcastic in response:
The proof-of-concept that Donenfeld posted with the bug—fairly snarky in tone, which may not have helped—clearly showed how to exploit the lack of PATH sanitization to get root privileges, but didn't demonstrate a different reported problem with argument injection to the mount program. That particular problem results from not sanitizing the user input and passing it on to mount. The other three problems (arbitrary root-owned directory creation, arbitrary empty directory removal, and creating .created_by_calibre_mount_helper files anywhere in the filesystem) are going to be harder to exploit, but they certainly aren't capabilities that regular users should have.
Goyal fixed the PATH issue immediately, but didn't see the argument injection problem, and therefore didn't fix it. Dan Rosenberg pointed out that there was still a bug:
In addition, Rosenberg suggested that there were safer ways to allow users
to mount removable media, rather than writing a setuid application specific
to Calibre. Once again, though, Goyal takes the combative approach. He
committed a fix
(though it doesn't really solve the problem) for the problem of
"mounting on top of
important directories
", but seems
affronted by the bug comments:
Part of the problem is that Goyal is looking for a single solution to the
mounting problem that works "on *every single
linux distro that the current technique works on* not just version >= x of distro
y
". While that complaint has some merit, it is hardly an excuse to
introduce security holes into the system. Though Goyal claims to be aware
of the "dangers
" of setuid programs, the code in
calibre-mount-helper does not really bear that out.
In fact, Donenfeld quickly came back with an example exploit that routed around Goyal's fix. The fix just disallows mounting in /usr, /bin, or /sbin, but Donenfeld's example mounts a /etc filesystem (with a chosen root password in passwd), thus allowing the user to log in as root. Obviously, /etc can be added to the disallowed list, but that becomes something of an arms race. A whitelisting approach might be more reasonable, but a better solution would be to use the distribution-supplied mechanisms for mounting the e-book readers. Those solutions should have had most of the obvious (and some non-obvious) problems shaken out, though there is no universal cross-distribution mechanism as Goyal would like to see.
As Donenfeld points out, Debian does not install the mount helper, and instead uses a wrapper script around udisks. Fedora also avoids the mount helper. Judging from this bug report, Ubuntu has picked up the Debian fix as well. It is unclear whether any of those distributions made an effort to get the word out about the problem or get a fix upstream. openSUSE seems to install calibre-mount-helper, however, and various other distributions may as well. In any case, anyone who picks up the source package and installs it will get the program installed as a setuid binary in /opt/calibre/bin.
Writing secure code is hard. Programmers tend to focus on what they are trying to accomplish, rather than all of the different ways the program can be abused. That's not an excuse, but it is an explanation of sorts. Distributions and users should be especially vigilant about setuid programs that come in from packages that, arguably anyway, shouldn't need them. Projects should probably also try to engage with folks that report security problems, rather than attacking them.
As of this writing, the Calibre trunk is still vulnerable to the example exploit that Donenfeld posted. One would expect to see a fix for it soon, and that any distributions that install calibre-mount-helper to issue updates. Users that have it installed from source may want to investigate using a wrapper script or other means to disarm the bug until the fix is made, at least on shared machines.
Brief items
Security quotes of the week
The redress letter suggests that even though nothing is wrong, I'll still be selected for "random" screenings. Consider what they tell us of safety and justice, and ask yourself: is it possible that a system full of such obvious and casual dishonesty will provide it?
Blaze: Key escrow from a safe distance
Mat Blaze has published a look back at the clipper chip controversy [PDF] for an upcoming conference. It is a good retrospective of a crucial moment in the crypto wars. "And so even before the Web became synonymous with the Internet, before a single bit of encrypted SSL traffic was generated, lines were being drawn for what would become an epic battle that would preoccupy a generation of cryptographers. (And it was a bad time for that community to be preoccupied; this was the same time that the basic foundations of the of web and other critical communications technologies were designed and put into place. We've been living with the security, or lack of security, built in to that infrastructure ever since)."
New vulnerabilities
backuppc: cross-site scripting
| Package(s): | backuppc | CVE #(s): | CVE-2011-3361 | ||||||||||||
| Created: | October 28, 2011 | Updated: | February 2, 2012 | ||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that BackupPC did not properly sanitize its input when processing backup browser error messages, resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. | ||||||||||||||
| Alerts: |
| ||||||||||||||
chromium: multiple vulnerabilities
| Package(s): | chromium | CVE #(s): | CVE-2011-2345 CVE-2011-2346 CVE-2011-2347 CVE-2011-2348 CVE-2011-2349 CVE-2011-2350 CVE-2011-2351 CVE-2011-2835 CVE-2011-2837 CVE-2011-2838 CVE-2011-2839 CVE-2011-2840 CVE-2011-2841 CVE-2011-2843 CVE-2011-2844 CVE-2011-2845 CVE-2011-2846 CVE-2011-2847 CVE-2011-2848 CVE-2011-2849 CVE-2011-2850 CVE-2011-2851 CVE-2011-2852 CVE-2011-2853 CVE-2011-2854 CVE-2011-2855 CVE-2011-2856 CVE-2011-2857 CVE-2011-2858 CVE-2011-2859 CVE-2011-2860 CVE-2011-2861 CVE-2011-2862 CVE-2011-2864 CVE-2011-2874 CVE-2011-3234 CVE-2011-3873 CVE-2011-3875 CVE-2011-3876 CVE-2011-3877 CVE-2011-3878 CVE-2011-3879 CVE-2011-3880 CVE-2011-3881 CVE-2011-3882 CVE-2011-3883 CVE-2011-3884 CVE-2011-3885 CVE-2011-3886 CVE-2011-3887 CVE-2011-3888 CVE-2011-3889 CVE-2011-3890 CVE-2011-3891 | ||||
| Created: | November 1, 2011 | Updated: | November 9, 2011 | ||||
| Description: | From the CVE entries:
The NPAPI implementation in Google Chrome before 12.0.742.112 does not properly handle strings, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2345) Use-after-free vulnerability in Google Chrome before 12.0.742.112 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG fonts. (CVE-2011-2346) Google Chrome before 12.0.742.112 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. (CVE-2011-2347) Google V8, as used in Google Chrome before 12.0.742.112, performs an incorrect bounds check, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2348) Use-after-free vulnerability in Google Chrome before 12.0.742.112 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to text selection. (CVE-2011-2349) The HTML parser in Google Chrome before 12.0.742.112 does not properly address "lifetime and re-entrancy issues," which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2350) Use-after-free vulnerability in Google Chrome before 12.0.742.112 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG use elements. (CVE-2011-2351) Race condition in Google Chrome before 14.0.835.163 allows attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the certificate cache. (CVE-2011-2835) Google Chrome before 14.0.835.163 on Linux does not use the PIC and PIE compiler options for position-independent code, which has unspecified impact and attack vectors. (CVE-2011-2837) Google Chrome before 14.0.835.163 does not properly consider the MIME type during the loading of a plug-in, which has unspecified impact and remote attack vectors. (CVE-2011-2838) The PDF implementation in Google Chrome before 13.0.782.215 on Linux does not properly use the memset library function, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2839) Google Chrome before 14.0.835.163 allows user-assisted remote attackers to spoof the URL bar via vectors related to "unusual user interaction." (CVE-2011-2840) Google Chrome before 14.0.835.163 does not properly perform garbage collection during the processing of PDF documents, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. (CVE-2011-2841) Google Chrome before 14.0.835.163 does not properly handle media buffers, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2843) Google Chrome before 14.0.835.163 does not properly process MP3 files, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2844) Google Chrome before 15.0.874.102 does not properly handle history data, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors. (CVE-2011-2845) Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unload event handling. (CVE-2011-2846) Use-after-free vulnerability in the document loader in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. (CVE-2011-2847) Google Chrome before 14.0.835.163 allows user-assisted remote attackers to spoof the URL bar via vectors related to the forward button. (CVE-2011-2848) The WebSockets implementation in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. (CVE-2011-2849) Google Chrome before 14.0.835.163 does not properly handle Khmer characters, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2850) Google Chrome before 14.0.835.163 does not properly handle video, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2851) Off-by-one error in Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-2852) Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to plug-in handling. (CVE-2011-2853) Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to "ruby / table style handing." (CVE-2011-2854) Google Chrome before 14.0.835.163 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale node." (CVE-2011-2855) Google V8, as used in Google Chrome before 14.0.835.163, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. (CVE-2011-2856) Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the focus controller. (CVE-2011-2857) Google Chrome before 14.0.835.163 does not properly handle triangle arrays, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2858) Google Chrome before 14.0.835.163 uses incorrect permissions for non-gallery pages, which has unspecified impact and attack vectors. (CVE-2011-2859) Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to table styles. (CVE-2011-2860) Google Chrome before 14.0.835.163 does not properly handle strings in PDF documents, which allows remote attackers to have an unspecified impact via a crafted document that triggers an incorrect read operation. (CVE-2011-2861) Google V8, as used in Google Chrome before 14.0.835.163, does not properly restrict access to built-in objects, which has unspecified impact and remote attack vectors. (CVE-2011-2862) Google Chrome before 14.0.835.163 does not properly handle Tibetan characters, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-2864) Google Chrome before 14.0.835.163 does not perform an expected pin operation for a self-signed certificate during a session, which has unspecified impact and remote attack vectors. (CVE-2011-2874) Google Chrome before 14.0.835.163 does not properly handle boxes, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2011-3234) Google Chrome before 14.0.835.202 does not properly implement shader translation, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. (CVE-2011-3873) Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors. (CVE-2011-3875) Google Chrome before 15.0.874.102 does not properly handle downloading files that have whitespace characters at the end of a filename, which has unspecified impact and user-assisted remote attack vectors. (CVE-2011-3876) Cross-site scripting (XSS) vulnerability in the appcache internals page in Google Chrome before 15.0.874.102 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. (CVE-2011-3877) Race condition in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker process initialization. (CVE-2011-3878) Google Chrome before 15.0.874.102 does not prevent redirects to chrome: URLs, which has unspecified impact and remote attack vectors. (CVE-2011-3879) Google Chrome before 15.0.874.102 does not prevent use of an unspecified special character as a delimiter in HTTP headers, which has unknown impact and remote attack vectors. (CVE-2011-3880) Google Chrome before 15.0.874.102 allows remote attackers to bypass the Same Origin Policy via unspecified vectors. (CVE-2011-3881) Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to media buffers. (CVE-2011-3882) Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to counters. (CVE-2011-3883) Google Chrome before 15.0.874.102 does not properly address timing issues during DOM traversal, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. (CVE-2011-3884) Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to stale Cascading Style Sheets (CSS) token-sequence data. (CVE-2011-3885) Google V8, as used in Google Chrome before 15.0.874.102, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers out-of-bounds write operations. (CVE-2011-3886) Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors. (CVE-2011-3887) Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to editing operations in conjunction with an unknown plug-in. (CVE-2011-3888) Heap-based buffer overflow in the Web Audio implementation in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3889) Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to video source handling. (CVE-2011-3890) Google Chrome before 15.0.874.102 does not properly restrict access to internal Google V8 functions, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2011-3891) | ||||||
| Alerts: |
| ||||||
empathy: cross-site scripting
| Package(s): | empathy | CVE #(s): | CVE-2011-3635 CVE-2011-4170 | ||||||||
| Created: | October 28, 2011 | Updated: | November 18, 2011 | ||||||||
| Description: | From the Ubuntu advisory:
It was discovered that a cross-site scripting (XSS) vulnerability in the Adium theme allows remote attackers to inject arbitrary javascript or HTML via a crafted nickname in XMPP group conversations. | ||||||||||
| Alerts: |
| ||||||||||
kernel: file corruption
| Package(s): | kernel | CVE #(s): | CVE-2011-3638 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 31, 2011 | Updated: | April 25, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A flaw was found in the way splitting two extents in ext4_ext_convert_to_initialized() worked. Although ex has been updated in memory, it is not dirtied both in ext4_ext_convert_to_initialized() and ext4_ext_insert_extent(). The disk layout is corrupted. Then it will meet with a BUG_ON() when writing at the start of that extent again. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpldapadmin: multiple vulnerabilities
| Package(s): | phpldapadmin | CVE #(s): | CVE-2011-4075 CVE-2011-4074 | ||||||||||||||||||||
| Created: | October 31, 2011 | Updated: | November 25, 2011 | ||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2011-4074: Input appended to the URL in cmd.php (when "cmd" is set to "_debug") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. CVE-2011-4075: Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to "query_engine", "query" is set to "none", and "search" is set to e.g. "1") is not properly sanitised in lib/functions.php before being used in a "create_function()" function call. This can be exploited to inject and execute arbitrary PHP code. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
python-django: multiple vulnerabilities
| Package(s): | python-django | CVE #(s): | CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 | ||||||||||||
| Created: | October 31, 2011 | Updated: | May 29, 2012 | ||||||||||||
| Description: | From the Debian advisory:
Paul McMillan, Mozilla and the Django core team discovered several vulnerabilities in Django, a Python web framework: CVE-2011-4136: When using memory-based sessions and caching, Django sessions are stored directly in the root namespace of the cache. When user data is stored in the same cache, a remote user may take over a session. CVE-2011-4137, CVE-2011-4138: Django's field type URLfield by default checks supplied URL's by issuing a request to it, which doesn't time out. A Denial of Service is possible by supplying specially prepared URL's that keep the connection open indefinitely or fill the Django's server memory. CVE-2011-4139: Django used X-Forwarded-Host headers to construct full URL's. This header may not contain trusted input and could be used to poison the cache. CVE-2011-4140: The CSRF protection mechanism in Django does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests. | ||||||||||||||
| Alerts: |
| ||||||||||||||
radvd: multiple vulnerabilities
| Package(s): | radvd | CVE #(s): | CVE-2011-3601 CVE-2011-3602 CVE-2011-3603 CVE-2011-3604 CVE-2011-3605 | ||||||||||||||||||||||||
| Created: | October 27, 2011 | Updated: | November 21, 2011 | ||||||||||||||||||||||||
| Description: | From the Fedora advisory:
CVE-2011-3601 radvd: privilege escalation flaw in process_ra() CVE-2011-3602 radvd: arbitrary file overwrite flaw in set_interface_var() CVE-2011-3603 radvd: daemon would not fail on privsep_init() causing it to run with full root privileges CVE-2011-3603 radvd: daemon would not fail on privsep_init() causing it to run with full root privileges CVE-2011-3604 radvd: numerous buffer overread flaws in process_ra() may lead to crash CVE-2011-3605 radvd: temporary denial of service flaw in process_rs() | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
simplesamlphp: xml encryption weakness
| Package(s): | simplesamlphp | CVE #(s): | |||||
| Created: | October 27, 2011 | Updated: | November 2, 2011 | ||||
| Description: | From the Debian advisory:
Issues were found in the handling of XML encryption in simpleSAMLphp, an application for federated authentication. The following two issues have been addressed: It may be possible to use an SP as an oracle to decrypt encrypted messages sent to that SP. It may be possible to use the SP as a key oracle which can be used to forge messages from that SP by issuing 300000-2000000 queries to the SP. | ||||||
| Alerts: |
| ||||||
squid: denial of service
| Package(s): | squid | CVE #(s): | CVE-2010-2951 | ||||
| Created: | October 27, 2011 | Updated: | November 2, 2011 | ||||
| Description: | From the CVE entry:
dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enabled, accesses an invalid socket during an IPv4 TCP DNS query, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors that trigger an IPv4 DNS response with the TC bit set. | ||||||
| Alerts: |
| ||||||
tor: information disclosure
| Package(s): | tor | CVE #(s): | CVE-2011-2768 CVE-2011-2769 | ||||||||||||||||||||||||
| Created: | October 28, 2011 | Updated: | November 10, 2011 | ||||||||||||||||||||||||
| Description: | It has been discovered by "frosty_un" that a design flaw in Tor, an online privacy tool, allows malicious relay servers to learn certain information that they should not be able to learn. See the tor advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2011-4100 CVE-2011-4101 CVE-2011-4102 | ||||||||||||||||||||||||||||||||||||
| Created: | November 2, 2011 | Updated: | November 23, 2011 | ||||||||||||||||||||||||||||||||||||
| Description: | Wireshark suffers from two denial-of-service vulnerabilities, one in the CSN.1 dissector (CVE-2011-4100) and one in the Infiniband dissector (CVE-2011-4101). There is also a buffer overflow in the ERF file reader (CVE-2011-4102) that, presumably, could be exploited to execute arbitrary code. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>
