Multiple Linux setuid output redirection vulnerabilities

2013-04-29 / 2013-05-08
Credit: Alyssa Milburn
Risk: High
Local: Yes
Remote: No
CVE: CVE-2013-1979
CWE: CWE-264


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Some of the recent -stable patches are (surprise!) security fixes. These were disclosed on the distros list last week. CVE-2013-1959: /proc/<pid>/uid_map has multiple incorrect privilege checks Linux 3.8 and various 3.9 rcs are affected, depending on configuration. This gives a root shell. (Actually, it gives a uid 0 shell with no capabilities, but that's easy to escalate to full root.) Fixed by: commit 935d8aabd4331f47a89c3e1daa5779d23cf244ee Author: Linus Torvalds <torvalds () linux-foundation org> Date: Sun Apr 14 10:06:31 2013 -0700 Add file_ns_capable() helper function for open-time capability checking commit 6708075f104c3c9b04b23336bb0366ca30c3931b Author: Eric W. Biederman <ebiederm () xmission com> Date: Sun Apr 14 13:47:02 2013 -0700 userns: Don't let unprivileged users trick privileged users into setting the id_map commit e3211c120a85b792978bcb4be7b2886df18d27f0 Author: Andy Lutomirski <luto () amacapital net> Date: Sun Apr 14 16:28:19 2013 -0700 userns: Check uid_map's opener's fsuid, not the current fsuid All three patches are needed. There's an exploit at the bottom of this email. To use it, you need to supply the program "zerozeroone". Doing so is left as an exercise to the reader. It can be done on stock installs of Fedora and Ubuntu at least. CVE-2013-1979: writes to unix sockets capture euid instead of uid This appears to be a regression in 2.6.36, and the regression was backported to various older stable series (2.6.35.11 at least). It is almost certainly exploitable for root on most distributions, although the vectors will vary. The fix is: commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 Author: Linus Torvalds <torvalds () linux-foundation org> Date: Fri Apr 19 15:32:32 2013 +0000 net: fix incorrect credentials passing I don't have an exploit, but there's a PoC below that demonstrates the issue. There's another security buglet that probably has extremely low impact. It doesn't have (and shouldn't need) a CVE number. It's fixed here: commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 Author: Andy Lutomirski <luto () amacapital net> Date: Sun Apr 14 11:44:04 2013 -0700 userns: Changing any namespace id mappings should require privileges

References:

http://seclists.org/oss-sec/2013/q2/215
https://cxsecurity.com/issue/WLB-2013050069


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top