Re: Tunnel Blick: Multiple Vulnerabilities to Local Root and DoS (OS X)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/11/2012 09:31 AM, Jason A. Donenfeld wrote:
> Hi,
>
> Tunnel Blick, a popular OpenVPN manager for Macintosh, has several 
> vulnerabilities in an SUID helper. I'm not sure if this is the
> place to report vulnerabilities in Macintosh software, but Tunnel
> Blick is open source.
>
> From the bug report [1] on the vulnerable code [2]:
>
> 1. A race condition in file permissions checking can lead to local
> root. (PoC: [3])
>
> 2. Insufficient checking of merely 0:0 744 can lead to local root
> on systems with particular configurations.
>
> 3. Insufficient validation of path names can allow for arbitrary 
> kernel module loading, which can lead to local root.
>
> 4. Insufficient validation of path names can allow execution of 
> arbitrary scripts as root, leading to local root. (PoC: [4])
>
> 5. Insufficient path validation in errorExitIfAttackViaString can
> lead to deletion of files as root, leading to DoS.
>
> 6. Allowing OpenVPN to run with user given configurations can lead
> to local root.
>
> Left one out.
>
> 7. Race condition in process killing.

Sorry maybe it's just late but I'm not finding any links to the
vulnerable code/fixed code which makes it difficult to verify these
issues. If you could put links to the affected code/lines so I can
quickly verify that would be helpful. E.g. I might need to merge some
of these (#3 and #4 and #5 for example are all input validation?).

> Thanks, Jason
>
> [1] http://code.google.com/p/tunnelblick/issues/detail?id=212 [2]
> http://code.google.com/p/tunnelblick/source/browse/trunk/tunnelblick/openvpnstart.m?r=2095
[3] http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker.c
> [4]
> http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker-for-kids.sh
- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQKJV6AAoJEBYNRVNeJnmTUKoP/RFPVbuAKsrTOKea0fbSVXA5
gVqmHHuK0vEmJfi4HaUhKUsV5Vx+fq08TR+16CCYhCJwfZhzPcUPSYyswaXuP0Wi
ZR8d+/jRPxRssBNeHkOey6ec2SaVwCJtVjnpaJAz0URE9421DX8217J9daOxcpK9
WVelp+jJuye9n5ykezGIg/dufZ3LMvZmdDHaD7Wce7Lx3dfvSSjSjwZZAPM36uzY
WpTdil0pvv/wmmN4tECUOCC2oEaroJc8iKQa3/U3RHFUtIPRvNanS++uKmVgNSrk
FP/xZie4TrduciHxTPUEfx3ubiLEqQO0Xm90EU6l6zesIqeNSxt7O42V9UX0ukk4
6PqkC/u/NbGfxm+W+GGOuN0HHEhl0Xvpq/kUKSIqCVHchEeWP/S59VbM48/0MhEC
kWpbaKrOEfA9RG9uChYRiM3B4AO71yCRCksy+8QcvlOldoVnbGA239+aQ82CbCr3
JC+rDJyViyzj7p06cF03lZ6WZ5zgbRBtp6Ijn7MXRV55fpYuCIyC83js9Mp6DZaT
+wnUM0iy5CzbKXUmcslw3//t6QO3+aVD0hiYK4HrjUYq4rwY+E8IYd5Hn5F7Tim5
rgrghd56GMe4cBn03/GUs6xVourQdUjyObN3MuLl+I8B9st34+AM0eSLvEeF+shE
yXjS0VBOlI2YOK46f/DK
=D+SB
-----END PGP SIGNATURE-----