oss-sec mailing list archives
Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution
From: Solar Designer <solar () openwall com>
Date: Tue, 18 Apr 2023 02:57:41 +0200
Hi, Thank you Ruihan Li for finding and handling this vulnerability so well, and for the detailed write-up. When discussing this on linux-distros a week ago, I wrote:
Regarding the vulnerability itself, do you think it'd be a good idea to also inform the maintainer of sudo? My thinking is that sudo could be hardened not to trigger ioctl's (which I guess it does via tcgetattr() or such?) while having euid=0 (and thus root's typical capabilities) - it could temporarily seteuid(uid), then switch back due to saved uid. Did you identify (m)any other programs usable for this attack? I guess some with functionality "similar" to sudo's could also be "affected" (there are several implementations of su in different packages for Linux, pkexec, various container entry tools).
And indeed Ruihan Li came up with the list of other likely usable programs on a typical Linux distro, which makes the point of hardening only sudo moot, and so we decided to postpone further discussion until this is public on oss-security. OTOH, not all distros are typical. Besides Android, we got rid of all SUID binaries in default install of Owl over a decade ago. While Owl is now effectively EOL'ed, some of its legacy lives on in ALT Linux distros, which are maintained, and other distros can do similar - it's primarily a matter of caring to do it or not. We did not package sudo in Owl, but if someone were to install it then it'd be the only program exposing this kernel vulnerability. So in that case, hardening sudo would have helped. On Sun, Apr 16, 2023 at 10:57:27PM +0200, Steffen Nurpmeso wrote:
So this general beating onto SETUID or super capable programs smells like bad fish Hollywood boom-boom again, no?
That lengthy list of them is actually in defense of sudo not having been hardened in this respect - it shows that this would not matter on a typical Linux system anyway.
You have to do some things, and if you give up privileges thereafter, extended capabilities are gone.
POSIX saved IDs should help retain/regain the capabilities. Alexander
Current thread:
- CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Jakub Wilk (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 17)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Solar Designer (Apr 17)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Todd C. Miller (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Todd C. Miller (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Jakub Wilk (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution nightmare . yeah27 (Apr 19)
- Re: Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 20)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution 0xef967c36 (Apr 18)