oss-sec mailing list archives
Re: CVE-NONE kernel: PHONET signedness issue
From: Nelson Elhage <nelhage () ksplice com>
Date: Thu, 6 Jan 2011 13:31:47 -0500
IMO, there is a (usually fairly clear) distinction between ways that a capability can transition to root "by design" and ones that are implementation bugs. If I, as a system administrator, grant you CAP_SYS_ADMIN, assuming that I know what I'm doing, I intend you to have the ability to (for example) mount and unmount filesystems. It is conceivable, although barely, that I have put in other protections in place to prevent you from using that ability from escalating yourself to full root. I almost certainly did /not/ intend to grant you the ability to corrupt kernel memory using a signedness error in the phonet subsystem. And so, in my opinion, this does represent a deviation from the intended security model that could "allow an attacker to [...] violate a reasonable security policy for that system", even if it's extremely unlikely that anyone is actually operating under such a security model. Admittedly, in the case of CAP_SYS_ADMIN, this is a hopelessly fine distinction because of the number of ways that CAP_SYS_ADMIN is equivalent to "full control of the machine". I don't personally care whether this issue gets a CVE, but I do think there is a distinction to be made here that is worth being aware of. - Nelson On Thu, Jan 06, 2011 at 01:08:59PM -0500, Dan Rosenberg wrote:
This is a slippery slope. I'm in favor of not having a CVE assigned for this issue. Otherwise, wouldn't we need a CVE for every vector that allows transitioning from various capabilities to root? The capability system may be poorly designed to allow such transitions, but I don't think they represent unexpected behavior. -Dan On Thu, Jan 6, 2011 at 12:54 PM, Michael Gilbert <michael.s.gilbert () gmail com> wrote:On Thu, 06 Jan 2011 13:20:49 +0800, Eugene Teo wrote:re: http://seclists.org/fulldisclosure/2011/Jan/39 Just in case someone tries to request a CVE name for this, I'm not requesting for one because if you need CAP_SYS_ADMIN capability to exploit this, you are already privileged.Right, but CAP_SYS_ADMIN != root, or at least it isn't meant to be. I mean if CAP_SYS_ADMIN == root, then one or the other doesn't need to exist. There is an exposure here, and for that it deserves a CVE identifier (of course in my opinion). See Brad Spengler's recent write-up [0]. There should be some effort toward making those 21 root equivalent capabilities discussed there non-equivalent. Best wishes, Mike [0] http://forums.grsecurity.net/viewtopic.php?f=7&t=2522
Current thread:
- CVE-NONE kernel: PHONET signedness issue Eugene Teo (Jan 05)
- Re: CVE-NONE kernel: PHONET signedness issue Michael Gilbert (Jan 06)
- Re: CVE-NONE kernel: PHONET signedness issue Dan Rosenberg (Jan 06)
- Re: CVE-NONE kernel: PHONET signedness issue Michael Gilbert (Jan 06)
- Re: CVE-NONE kernel: PHONET signedness issue Nelson Elhage (Jan 06)
- Re: CVE-NONE kernel: PHONET signedness issue Steven M. Christey (Jan 06)
- Re: CVE-NONE kernel: PHONET signedness issue Dan Rosenberg (Jan 06)
- Re: CVE-NONE kernel: PHONET signedness issue Michael Gilbert (Jan 06)