oss-sec mailing list archives
Re: libdbus hardening
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 13 Sep 2012 18:18:17 +0200
On Tue, 10 Jul 2012 16:11:12 +0200 Sebastian Krahmer wrote:
If you compile your openssh '--with-ssl-engine' you have an easy root exploit (given that ssh-keysign is mode 04755 such as on Debian) via OPENSSL_config().
Even though the above is not correct to the best of my knowledge (no openssh version I checked would call OPENSSL_config(NULL) from ssh-keysign, even when it's complied with --with-ssl-engine and installed setuid root; even though other openssh command line tools do end up calling OPENSSL_config(NULL)), this shows OpenSSL is not unlikely to be used in a privileged application and hence may allow privilege escalation via special OPENSSL_CONF or OPENSSL_ENGINES environment variables. OpenSSL also already protects access to certain environment variables (there are OPENSSL_issetugid() calls before getenv()), it does not do the same check for all variables it reads. It seems that problem deserves a CVE. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: libdbus hardening, (continued)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Florian Weimer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Sebastian Krahmer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening yersinia (Jul 10)
- Re: libdbus hardening Sebastian Krahmer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Sebastian Krahmer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Florian Weimer (Jul 11)
- Re: libdbus hardening Tomas Hoger (Sep 13)
- Re: libdbus hardening Sebastian Krahmer (Jul 11)
- Re: libdbus hardening Solar Designer (Jul 11)
- Re: libdbus hardening yersinia (Jul 11)
- Re: libdbus hardening Solar Designer (Jul 17)
- Re: libdbus hardening Florian Weimer (Jul 17)
- Re: libdbus hardening Florian Weimer (Jul 25)
- Re: libdbus hardening yersinia (Jul 26)
- Re: libdbus hardening Ludwig Nussel (Jul 30)
- Re: libdbus hardening Florian Weimer (Jul 30)