oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SELinux troubles

From: Tomas Hoger <thoger () redhat com>
Date: Tue, 21 Jun 2016 13:41:22 +0200
On Tue, 21 Jun 2016 11:45:01 +0200 Sebastian Krahmer wrote:


1)

This bug is mitigated since setroubleshoot that is found on RHEL 7.2,
by running it as a dedicated user (untested).

Shell injection issue in setroubleshoot/audit_data.py:

def _set_tpath(self):
[...]
      if path.startswith("/") == False and inodestr:
              import subprocess
              command = "locate -b '\%s'" % path
              try:
                  output = subprocess.check_output(command,
                                                   stderr=subprocess.STDOUT,
                                                     shell=True)
[...]


taking 'path' off AVC denial messages and constructing a command thats
passed to "sh -c".  o.O
Note that AVC denial messages appear outside of containers, so
a setroubleshoot is usually run on the host, processing AVC messages
from containers. This allows for an easy breakout.


2)

I did not test this, but even though the run_fix() function in
SetroubleshootFixit.py is protected by auth_admin polkit rules, it looks
like theres good chance to pass XML documents via setroubleshoots
RPC/DBUS API that contains evil local_id or analysis_id fields and trick
real admins to "fix" AVC denials that inject code:

[...]
    def run_fix(self, local_id, analysis_id):
         import commands
         command = "sealert -f %s -P %s" % ( local_id, analysis_id)
         return commands.getoutput(command)
[...]

This is not mitigated by the run-as-user, since SetroubleshootFixit.py
still runs as root (and probably needs to).


CVE-2016-4989 was assigned to the issues above.


There are additional similar problems in setroubleshoot and
setroubleshoot-plugins:

- CVE-2016-4445, setroubleshoot, affecting 'sealert --fix'.  Problem was
  already fixed in version 3.2.23.

  https://github.com/fedora-selinux/setroubleshoot/commit/2d12677629ca319310f6263688bb1b7f676c01b7

- CVE-2016-4444, setroubleshoot-plugins, allow_execmod plugin.  Also
  previously fixed in versoin 3.2.23.

  https://github.com/fedora-selinux/setroubleshoot/commit/5cd60033ea7f5bdf8c19c27b23ea2d773d9b09f5

- CVE-2016-4446, setroubleshoot-plugins, allow_execstack plugin.
  Similar to the previous one, only using commands.getoutput instead of
  commands.getstatusoutput.

  https://github.com/fedora-selinux/setroubleshoot/blob/setroubleshoot-plugins-3.3.4/plugins/src/allow_execstack.py#L29

-- 
Tomas Hoger / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: