oss-sec mailing list archives
Re: IMA gadgets
From: Jens Timmerman <jens () caret be>
Date: Wed, 1 Dec 2021 12:52:18 +0100
On 11/30/21 22:27, Grant Taylor wrote:
This means an attacker can turn any binary into a SUID binary. The signatures do not cover these file attributes, so they will still verify.It may be possible to add SUID and / or capabilities to a signed file. But I have to question how such a questionable non-SUID binary would be given a signature in the first place? Or asked another why, why would a questionable file be given a IMA signature in the first place?
An attacker doesn't need to SUID a questionable binary, just any binary that would then allow to execute commands. e.g. /usr/bin/bash or less obvious but still obvious perl, python, vim, sudoedit, and 100's of other default tools that could be used to an attackers advantage once they are SUID.
Current thread:
- IMA gadgets Florian Weimer (Nov 30)
- Re: IMA gadgets Grant Taylor (Dec 01)
- Re: IMA gadgets Jens Timmerman (Dec 01)
- Re: IMA gadgets Johannes Segitz (Dec 01)
- Re: IMA gadgets Travis Finkenauer (Dec 01)
- Re: IMA gadgets Grant Taylor (Dec 01)