oss-sec mailing list archives
Re: CVE-2017-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0
From: Michael Orlitzky <michael () orlitzky com>
Date: Mon, 29 Jan 2018 11:29:14 -0500
On 01/29/2018 11:13 AM, Florian Weimer wrote:
On 01/29/2018 05:09 PM, Michael Orlitzky wrote:Correction to the CVE-ID: it's 2017, not 2018. So CVE-2017-18078.Isn't it a duplicate of CVE-2013-4392?
They look pretty similar. The symlink issue was fixed as far as I can tell -- I tried to exploit them, and failed. The tmpfiles code is using a clever trick: xsprintf(fn, "/proc/self/fd/%i", fd); ... if (chown(fn, ... On Linux, the proc stuff is magic, and that just does the right thing, even though a priori it looks like "chown" will follow symlinks. Hard links were a different story, and there was no attempt made to avoid them outside of relying on the fs.protected_hardlinks sysctl. So if the administrator disables that protection, there's no safety net. Did you cover the hard link problem in CVE-2013-4392, too? Regardless, there is now some extra protection built-in to tmpfiles to reduce the risk when the sysctl is disabled.
Current thread:
- CVE-2018-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0 Michael Orlitzky (Jan 29)
- Re: CVE-2017-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0 Michael Orlitzky (Jan 29)
- Re: CVE-2017-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0 Florian Weimer (Jan 29)
- Re: CVE-2017-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0 Michael Orlitzky (Jan 29)
- Re: CVE-2017-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0 Florian Weimer (Jan 29)
- Re: CVE-2017-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0 Michael Orlitzky (Jan 29)