Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Posted Feb 18, 2022 15:35 UTC (Fri) by intgr (subscriber, #39733)In reply to: Local root vulnerability in snap-confine by jra
Parent article: Local root vulnerability in snap-confine
Thanks for the link, this report is pure gold and worth reading in full.
Truly, props to snap-confine developers for implementing mitigations to make exploitation so complicated.
As for the other vulnerabilities they found......... *sigh*
> CVE-2021-3995: Unauthorized unmount in util-linux's libmount
> only the first "sz" characters of the
> current user's uid are compared to the filesystem's "user_id" option (sz
> is user_id's length). This second vulnerability allows an unprivileged
> user to unmount the FUSE filesystems that belong to certain other users;
> for example, if our own uid is 1000, then we can unmount the FUSE
> filesystems of the users whose uid is 100, 10, or 1
This is hilarious and sad at the same time. It would be obvious to blame the C language. But I think it's time to start putting blame on developers as well, when instead of using proper primitives like "compare string A and B and tell me if they're equal", they insist on using low-level primitives with pointer arithmetic and buffer manipulation. This is the same mindset that led to the recent "pkexec" vulnerability.
This way of parsing and handling strings should be unacceptable in a culture that values security. Please use (create) a proper C library of high-level string manipulation functions, no shortcuts!
> CVE-2021-3996: Unauthorized unmount in util-linux's libmount
> when parsing /proc/self/mountinfo, the libmount blindly
> removes any " (deleted)" suffix from the mountpoint pathnames
> For example, on Fedora, /tmp is a tmpfs, so we can mount a basic FUSE
> filesystem named "/tmp/ (deleted)" (with FUSE's "hello world" program,
> ./hello) and unmount /tmp itself (a denial of service)
Hilarious. This, again, is a culture problem. We should be migrating to proper serialization formats when communicating complex data structures to between kernel and userland, instead of this stringly typed complex to parse hodgepodge that is "mountinfo".
The "deleted" flag should be a boolean or flags field, not part of the path name string.
> CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles
> if we create thousands
> of nested directories in /tmp, then "systemd-tmpfiles --remove" (when
> executed as root at boot time) will call its rm_rf_children() function
> recursively (on each nested directory) and will exhaust its stack and crash
> - for example, on Ubuntu 21.04, systemd-tmpfiles fails to create the
> directory /run/lock/subsys; but because /run/lock is world-writable,
> attackers can create their own /run/lock/subsys; and because various
> legacy packages and daemons write into /run/lock/subsys as root, the
> attackers may create arbitrary files via symlinks in /run/lock/subsys.
Mind=blown. One would expect the crash of a startup service to "fail safe" and possibly disable part of the system. But the auditors managed to turn it into a privilege escalation vulnerability.
Not sure where to put the blame, I could see myself making this mistake just as well.
Posted Feb 18, 2022 16:20 UTC (Fri)
by epa (subscriber, #39769)
[Link] (12 responses)
You can also blame whoever came up with the mountinfo format, but that may be a little unfair as I'm sure it has simply evolved rather than being designed. With hindsight, if you are pasting together strings in a formatted text output you should think in advance of what to do if one of the formatting characters (like, I don't know, newline) appears in a string. But again, there's no cultural consensus on what to do, and any scheme you invented would probably be parsed wrongly by lots of userland code, since it's an uncommon case.
Posted Feb 18, 2022 18:33 UTC (Fri)
by mpr22 (subscriber, #60784)
[Link] (2 responses)
Posted Feb 18, 2022 21:11 UTC (Fri)
by ms-tg (subscriber, #89231)
[Link] (1 responses)
I wonder if there are steps that, over some years, could help make the unknown number of people visible? For example, what if Linux, either in the file systems or more likely in distro-level utilities, simply detected filenames that violated certain rules, and let the user know that these existed and might need to be renamed to follow a proposed RFC naming convention in the future if it becomes accepted?
Perhaps users could opt-in to also reporting counts back to a central server?
I'm even picturing a nice web page, the way big security vulnerabilities have these days? Maybe 'linux-filenames-rfc.io'? Which could include the latest text of the proposal, links to Github where changes can be proposed, mailing lists where it is discussed, etc?
Using these sorts of community consensus approaches, might it be possible to get more of a defined sense of how often how big a real-world impact would be felt by any proposed reduction in Linux filename permissiveness?
Posted Feb 24, 2022 11:07 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Sure, all hell could then break loose, as old apps assume they can write garbage, etc etc, but it gives *developers* the opportunity to have a flag day and clean up their own stuff. Then they recommend that users enable this flag, which can't be enabled on existing systems to avoid breaking them, and all this goodness is enforced going forwards.
Then you reverse the default state of the flag so all of a sudden, people with old apps have to ask for the old behaviour ... But the breakage is minimised by making it easy for those in the know to be early adopters and test their own systems. You only need something like SUSE's Open Build System flipping their default setting, as developer's build systems start breaking and a distro could then rapidly switch their own default knowing all the apps they've built are compliant ...
Cheers,
Posted Feb 19, 2022 9:40 UTC (Sat)
by adobriyan (subscriber, #30858)
[Link]
Posted Feb 19, 2022 10:26 UTC (Sat)
by intgr (subscriber, #39733)
[Link]
I don't really blame whoever came up with it, but I blame kernel developers for not offering better alternatives for new use cases and migrating old kludges over.
Kernel developers should decide on a new unambiguous and extensible serialization format for complex nested data structures. In 1990s these lessons hadn't really been learned yet, but in 2022 we have protobuf, Avro, Arrow, ASN.1, JSON and plenty more. I'm sure we can find at least one that suits the kernel use case.
> blame whoever decided that ( ) and space should be legal characters in a mount point path name
This wouldn't even help that much. Restricting characters in path names would solve this particular issue for paths, but there are still plenty of other strings with arbitrary content that may end up being communicated to user space. So would you propose blocking a set of characters in *all* kernel inputs?
I feel like a broken record at this point, but again: if you're having trouble transmitting certain characters in your serialization format, it's the serialization format that sucks.
Posted Feb 20, 2022 3:03 UTC (Sun)
by foom (subscriber, #14868)
[Link] (6 responses)
If there's blame to be had, it'd be for the Unix shell language which treats strings in a variable unsafely by default!
Posted Feb 21, 2022 7:01 UTC (Mon)
by epa (subscriber, #39769)
[Link] (5 responses)
On some platforms space is not a legal character in filenames but you can use non-breaking space, which isn’t treated specially by the shell. I’m not sure whether that is better or worse.
Posted Feb 21, 2022 12:43 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (4 responses)
Posted Feb 21, 2022 13:37 UTC (Mon)
by adobriyan (subscriber, #30858)
[Link] (3 responses)
'-' is allowed in URLs. Any site issuing randomised names (like: YT) to user submitted content will create a file starting with minus easily.
Posted Feb 21, 2022 14:15 UTC (Mon)
by zdzichu (subscriber, #17118)
[Link] (2 responses)
Posted Feb 21, 2022 17:33 UTC (Mon)
by adobriyan (subscriber, #30858)
[Link] (1 responses)
GNU ls(1) started to quote filenames with spaces at some point, it was huge step in right direction because copy paste suddenly started working "out of the box". More features lke this are necessary.
Posted Feb 21, 2022 18:04 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Just add automatic escaping for such names.
Posted Feb 19, 2022 8:55 UTC (Sat)
by roc (subscriber, #30627)
[Link] (3 responses)
The problem is that C doesn't provide enough language features to make a library string type as convenient and performant to use as char*. (Language features such as destructors.) Therefore C programmers will be disinclined to use it. It's not an accident that after all these years no such library is in broad use.
Posted Feb 20, 2022 16:59 UTC (Sun)
by epa (subscriber, #39769)
[Link]
Posted Feb 21, 2022 15:20 UTC (Mon)
by rgmoore (✭ supporter ✭, #75)
[Link] (1 responses)
I think your comment gets very nicely at the root of our problems. We will never get security right as long as it is given lower priority than convenience and performance.
Posted Feb 22, 2022 2:29 UTC (Tue)
by mathstuf (subscriber, #69389)
[Link]
As for convenience, sure it's handy to be able to pass a "string" around in a register because it's "just" the size of a pointer, but weighing that against the inconvenience of having to debug mishandling of these APIs, they are by *far* in the red in my book. I mean, we have how many flavors of "append a string"? `strcat`, `strncat`, and `strlcat`? Toss `snprintf` in there too if you want to be fancy. And there's not even *consensus* on this set. Reviewing code dense with use of the C string library requires notes because I need to track where lengths are coming from, are the right APIs being used, and "oh, that's just a poorly coded `strdup`" recognitions. I don't find it useful.
So given that it scores (IMO) a 2/5 on performance (sure, registers get you something I guess), 1/5 in (overall) convenience, and 0/5 on security because the APIs just don't help out half the time, why, specifically, would roc's "attitude" not be warranted?
Posted Feb 20, 2022 23:42 UTC (Sun)
by judas_iscariote (guest, #47386)
[Link] (1 responses)
What is actually wanted is system calls, that return unambigous, well defined data.. same on all archictectures or kernel config options.. no new proc files to parse or to write to...
Posted Feb 21, 2022 16:37 UTC (Mon)
by nybble41 (subscriber, #55106)
[Link]
We have the system calls (open, read, write). What is missing is the "unambiguous, well-defined data". Given an appropriate serialization format there is nothing wrong with communicating the data through /proc. I see no need to restrict access to languages with support for making special-purpose system calls.
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Wol
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Everything except NULL and / is allowed in filenames. But it doesn't mean it's a good idea to use it. Please take time to read the essay, it is eye-opening.
Local root vulnerability in snap-confine
And you do not need a website. Just touch -- --foot-shooter (or touch -- -rf\ . if you like).
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine
Local root vulnerability in snap-confine