oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2017-8805: Unsafe symlinks not filtered in Debian mirror script ftpsync

From: Ben Tasker <ben () bentasker co uk>
Date: Wed, 18 Oct 2017 14:30:31 +0100
On Wed, Oct 18, 2017 at 1:55 PM, Robert Watson <robertcwatson1 () gmail com>
wrote:


Since security is determined by file and directory permissions and
ownership, not by symlinks, wouldn't the fact that a malicious user did not
have permissions to access the symlink's target file/directory prevent any
harm?



If I'm reading the original correctly, then the user that will access the
target will be the user your HTTP daemon runs as (so, for sake of example,
nginx).

There's stuff that will be protected by permissions (for example, you
shouldn't be able to pull down /etc/shadow - so long as nginx/apache isn't
running as root), but there are other files that you might consider
sensitive(ish). Pulling down /etc/passwd would give you a list of known
good usernames to better target brute-force attempts (for example). Or
perhaps using it to grab the config file of some dynamic site on the same
server etc.

So there is potential scope for abuse there, and others probably have
better imaginations than I do.

The "nice" thing about it is: if an attacker gets access to the upstream
mirror they still may not be able to mess with the packages themselves (as
they're signed), but with this they can still potentially be hostile to
downstream.


-- 
Ben Tasker
https://www.bentasker.co.uk
Previous By Date Next
Previous By Thread Next

Current thread: