oss-sec mailing list archives
Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation
From: "kseifried () redhat com" <kseifried () redhat com>
Date: Mon, 11 Sep 2017 14:22:12 -0600
On 2017-09-11 01:58 PM, Michael Orlitzky wrote:
On 09/07/2017 12:22 PM, Daniel Kahn Gillmor wrote: It's just me as far as I know. I stumbled onto this by accident while cleaning up an OpenRC init script that was shipped as part of an upstream package. I updated it, and then noticed that my init script was vulnerable to the PID file trick. Then I realized that everybody else has the same problem. You probably need a human to make the final decision on whether or not an init script is vulnerable, but my lame heuristic so far has been hilariously accurate: does the init script mess with file/directory ownership? If so, it's probably vulnerable to *something*.
Another note on init scripts and related, rpm and dpkg postinstall/preinstall/etc, as a rule if it does anything with: chmod chown chgrp touch head tail cat "/etc/pki/" "/tmp/" "/dev/random" "/dev/urandom" cert commands from openssl, gnutls or nss a pile of other things (you start to get the idea) There is a semi good chance either something is going wrong security wise, or it should be part of first run (e.g. things that generate a certificate or a key, if you do that in the install/postinstall scripts all your containers have the same secret, if you do it on first run (typically as part of the app itself, or part of the init scripts) then it's unique per instance. Some examples: CVE-2016-4980 CVE-2016-4982 CVE-2016-4983 CVE-2016-4984 -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation, (continued)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Aug 18)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 06)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Aug 18)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Daniel Kahn Gillmor (Sep 07)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Michael Orlitzky (Sep 11)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation Simon McVittie (Sep 11)
- Re: CVE-2017-12847: nagios-core privilege escalation via PID file manipulation kseifried () redhat com (Sep 11)