[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2017-18078: systemd-tmpfiles root privilege escalation with fs.protected_hard
From: Michael Orlitzky <michael () orlitzky ! com>
Date: 2018-01-29 16:29:14
Message-ID: 7835816e-4c5d-94a7-0de3-4b69fe7f4cb7 () orlitzky ! com
[Download RAW message or body]
On 01/29/2018 11:13 AM, Florian Weimer wrote:
> On 01/29/2018 05:09 PM, Michael Orlitzky wrote:
>> Correction to the CVE-ID: it's 2017, not 2018. So CVE-2017-18078.
>
> Isn't it a duplicate of CVE-2013-4392?
>
They look pretty similar. The symlink issue was fixed as far as I can
tell -- I tried to exploit them, and failed. The tmpfiles code is using
a clever trick:
xsprintf(fn, "/proc/self/fd/%i", fd);
...
if (chown(fn, ...
On Linux, the proc stuff is magic, and that just does the right thing,
even though a priori it looks like "chown" will follow symlinks.
Hard links were a different story, and there was no attempt made to
avoid them outside of relying on the fs.protected_hardlinks sysctl. So
if the administrator disables that protection, there's no safety net.
Did you cover the hard link problem in CVE-2013-4392, too? Regardless,
there is now some extra protection built-in to tmpfiles to reduce the
risk when the sysctl is disabled.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic