oss-sec mailing list archives

Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness

From: Solar Designer <solar () openwall com>
Date: Tue, 15 Dec 2015 00:54:08 +0300

halfdog -

http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/


Thank you for documenting these peculiar findings.  While your web pages
are nicely formatted and have helpful cross-references, could you please
post the actual content to oss-security directly?  If you can't easily
include everything into a message body yet keep it reasonable, then you
may attach several text files, including the CreateSetgidBinary.c
program.  I hope your website will still be available with this content
years later, but regardless I'd prefer discussion threads in here not to
rely on external content unnecessarily.  If we can make a discussion
thread more self-contained, we should.  Including external URLs for
reference and better formatting and cross-references is great, but it
does not eliminate the need to also include the most essential content
directly in your posting.

On Mon, Dec 14, 2015 at 09:14:29PM +0000, halfdog wrote:

Dag-Erling Smorgrav wrote:

And the PAM issue?


That's the most questionable. Should it be expected from the pam
libraries to refuse authentication, when the owner/group of
/etc/shadow is completely off? Of course, attacker with possibility to
modify ownership of a single file would also find numerous other
targets to work on, but should it be so easy?


(You mean PAM modules like pam_unix here, not PAM libraries like libpam.
And of course this question is not limited to systems with PAM.)

I don't feel about this strongly, but I also see little need to
introduce this kind of paranoia into pam_unix and the like.  As you
point out, there are "numerous other targets", and some of them are not
much or any harder to make use of - e.g., root's cron jobs, sshd_config
"Subsystem" line, lots of scripts and binaries (but these might require
waiting until they're run next).

Alexander

Current thread:

User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 02)
- Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 13)
  - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 14)
    - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 14)
    - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Solar Designer (Dec 14)
    - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 20)
    - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Dag-Erling Smørgrav (Dec 15)
    - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness halfdog (Dec 15)
    - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness cve-assign (Dec 15)
  - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness Florian Weimer (Dec 14)
  - Re: User man Local Root Exploit/Linux Kernel setgid Directory Privilege Escalation/PAM Owner Check Weakness cve-assign (Dec 14)