oss-sec mailing list archives
Re: Authentication vulnerabilities in OpenBSD
From: Solar Designer <solar () openwall com>
Date: Wed, 4 Dec 2019 23:05:11 +0100
On Wed, Dec 04, 2019 at 08:49:22PM +0000, Qualys Security Advisory wrote:
1. CVE-2019-19521: Authentication bypass
This is the second piece of the puzzle: if an attacker specifies the username "-schallenge" (or "-schallenge:passwd" to force a passwd-style authentication), then the authentication is automatically successful and therefore bypassed.
Wow, this is the new -froot.
2. CVE-2019-19520: Local privilege escalation via xlock ============================================================================== On OpenBSD, /usr/X11R6/bin/xlock is installed by default and is set-group-ID "auth", not set-user-ID; the following check is therefore incomplete and should use issetugid() instead: ------------------------------------------------------------------------------ 101 _X_HIDDEN void * 102 driOpenDriver(const char *driverName) 103 { ... 113 if (geteuid() == getuid()) { 114 /* don't allow setuid apps to use LIBGL_DRIVERS_PATH */ 115 libPaths = getenv("LIBGL_DRIVERS_PATH"); ------------------------------------------------------------------------------ A local attacker can exploit this vulnerability and dlopen() their own driver to obtain the privileges of the group "auth":
I think this library issue isn't OpenBSD-specific. A quick Google web search for LIBGL_DRIVERS_PATH finds that Mesa appears to have the same issue, and it also finds that we should also search for GBM_DRIVERS_PATH (apparently, for older Mesa) and maybe EGL_DRIVERS_PATH and EGL_DRIVER, and LIBVA_DRIVERS_PATH and LIBVA_DRIVER_NAME. There are probably more. Related discussion for X.Org, which ends with Alan Coopersmith saying: "Yeah, I really would rather not have a setuid-root program dlopen and execute code from a user supplied path. Can we have something in there to prevent disasters, such as issetugid() or secure_getenv()?" [PATCH xserver] Search for DRI drivers at LIBGL_DRIVERS_PATH environment variable. https://lists.x.org/archives/xorg-devel/2016-April/049336.html It sounds like the patch adding the dangerous getenv() didn't get in, but I didn't verify that. Alexander
Current thread:
- Authentication vulnerabilities in OpenBSD Qualys Security Advisory (Dec 04)
- Re: Authentication vulnerabilities in OpenBSD Solar Designer (Dec 04)
- Re: Authentication vulnerabilities in OpenBSD Georgi Guninski (Dec 05)
- Re: Authentication vulnerabilities in OpenBSD Renaud Allard (Dec 05)
- Re: Authentication vulnerabilities in OpenBSD Arrigo Triulzi (Dec 05)