Next Page >>
permissions
Yorick Koster, June 2010
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A logic flaw has been found in the way .NET grants permissions to
ClickOnce applications. Combined with relaxed security warnings when
handling OLE Packages in Office 2007 allows for attackers to run
arbitrary .NET assemblies with Full Trust permissions.
------------------------------------------------------------------------
> > IMHO; no bug or security issue, just a misunderstanding of the
> > mechanism...
Correct. It is a completely flawed assumption.
In Unix, an open() of a file checks access permissions as
specified in the files inode. If someone wants access control
applied to a file, then he MUST do so using the permission in
the file inode.
Making assumptions about directory search and acces permissions
resources, a check should be done to see what it allows. The check for the
inode permissions are more questionable. As can be seen above, using a fd
directly ignores file permissions and only uses fd "permissions". Accessing
via /proc is like accessing via fd so there is an argument to be had for
keeping semantics the same (then again, there's an argument to be had
for listening to file system permissions since that's also the context it's
in).
The directory permissions are irrelevant in the case of access via fd
without the use of /proc. The directory permissions only control 3 things:
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
vulnerability
* ANM default user credentials vulnerability
* ANM MySQL default credentials vulnerability
* ANM Java agent privilege escalation
| Microsoft Windows Dial-Up | including | |
| Networking Interface | 4.8.02.0010 | |
|-----------------------------+------------------+---------------|
| 2. Local Privilege | All versions up | CSCsj00785 |
| Escalation Through Default | to but not | |
| cvpnd.exe File Permissions | including | |
| | 5.0.01.0600 | |
+----------------------------------------------------------------+
Note: The VPN Client for Windows software is distributed as both a
Microsoft Installer (MSI) package and an InstallShield (IS) package. Only
Abstract:
Some Windows antivirus software fails to detect, block and/or
disinfect/move/delete malware if the malware EXE file has only
execution permission and no read, write or other permissions.
The worst cases are NOD32 and Avast antivirus, which allow the
malware to run unimpeded. Avast has fixed the flaw while NOD32
is still vulnerable as of this writing.
psz@maths.usyd.edu.au wrote:
> > According to POSIX, if you open the directory with O_SEARCH then openat()
> > does not re-check search (+x) permissions.
>
> My 2.6.26 kernel (or Debian lenny) does not seem to know about O_SEARCH.
> But anyway... even if openat() does not re-check permissions, it should
> surely fail when in fact it does not have permissions? Surely, directory
> contents are not cached? Or, do you have an example (of a running OS)
2 Opera Mobile Internals
========================
Opera Mobile for Android maintains a cache of web pages:
• The cache is stored under the directory /data/data/com.opera.browser with UNIX
file permissions [rwxrwx--x].
• All directories from the cache directory to the root are globally executable.
• The cache metadata file can be found under
/data/data/com.opera.browser/dcache4.url with permissions [rw-rw-rw-].
buffer on the heap. After the incorrect allocation, one or more
user-supplied buffers are copied in the new buffer, resulting in a
corruption of the heap.
By exploiting this vulnerability, it is possible for an application
running with Partial Trust permissions to to break from the CLR sandbox
and run arbitrary code with Full Trust permissions.
------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
>>>> Just looked more carefully at fs/proc/base.c. That behavior is due
>>>> to proc_fd_info() called from proc_fd_link() obtains file->f_path,
>>>> that in turn contains the reference to the open file dentry and
>>>> hence inode. That's exactly why those symlinks behave as hardlinks.
>>>> This behavior assumes, that if you were able to open the file,
>>>> you've all necessary transition permissions to access it's inode.
>>>> But in order to follow them you need privileges to read the process
>>>> memory, which hardly restricts the impact of this behavior. I don't
>>>> think this should be fixed, since /proc/<PID>/fd/ is mainly for
>>>> debugging purposes.
>>>
* When a remote site attempts to access a local resource, Internet
Explorer will fail to enforce the Zone Elevation restrictions.
* When browsing a remote site, Internet Explorer will not apply the
right Security Zone permissions, allowing a site belonging to a less
secure zone to be treated as one belonging to a more privileged zone.
*Vulnerable Packages*
On 26.10.2009 18:58, Pavel Machek wrote:
>>>>> guest certianly does not have permission to ptrace() pavel's
>>>>> processes, so...
>>>>
>>>> But guest has permissions to ptrace() his own processes. If we
>>>> remember your original report, he abuses input redirection of bash
>>>> run by himself. So again, there's no real security hole here.
>>>
>>> guest abuses ptrace permissions on his own processes to write to
>>> pavel's files... no, that obviously is not security hole :-).
> >>>guest certianly does not have permission to ptrace() pavel's
> >>>processes, so...
> >>
> >>But guest has permissions to ptrace() his own processes. If we
> >>remember your original report, he abuses input redirection of bash
> >>run by himself. So again, there's no real security hole here.
> >
> >guest abuses ptrace permissions on his own processes to write to
> >pavel's files... no, that obviously is not security hole :-).
> >
Avast! Professional Edition <= 4.8.1356
Avast! Home Edition <= 4.8.1356
DETAILS
Avast! installs some program files with insecure permissions. "Everyone" group has "Full Control" rights to the files/folders in the following path: "%Program Files%\Alwil Software\Avast4\Data". Its mean that any unprivileged user can modify, delete or change permissions of any file in DATA folder. The folder consists of data, executable and configuration files. In result multiple attack vectors are possible.
Vulnerability #1 Local privilege escalation (CVE-2009-3524)
A local attacker (unprivileged user) can modify %Program Files%\Alwil Software\Avast4\Data\avast4.ini file. "ISAPIFilter1" parameter in avast4.ini contains filename or full path to ISAPI filter module – originally "ashWsFtr.dll". An attacker can replace the original path by path to the attackers malicious dynamic library (DLL). After restart attackers DLL will be loaded with SYSTEM privileges. This is local privilege escalation vulnerability.
That said, the user in the example already has access to the file (in
a running process), and would be able to do so again, *if he had
access to a directory where the file was hard-linked*. Pavel
described that the sysadmin checked for that, but even if this worked
as expected, there's a race condition where the user could create the
hard link after the sysadmin checked, but before the permissions were
corrected. Unlikely, I know... but possible.
There's a nearly identical case that works in all Unixen, AFAIK: You
have /a/b/file1, which is writable to user1. The user has permission
to descend /a and /a/b. At some point user1 does a cd to /a/b. Then
Also not affected are the following configurations: a) maildir-style
delivery with the Postfix built-in local or virtual delivery agents;
b) mail delivery with non-Postfix local or virtual delivery agents;
c) mailbox-style delivery with the Postfix built-in virtual delivery
agent when virtual mailbox parent directories have no "group" or
other write permissions.
The following configurations are known to be affected on Linux
kernel >= 2.0, Solaris >= 2.0, OpenSolaris 11-2008.5, IRIX 6.5, and
other systems where users can create hardlinks to symlinks: a)
mailbox-style delivery with the Postfix built-in local delivery
initial read-only.
Do a strace on your test and you will see that the 'file descriptor'
in /proc
will be accessed as an ordinairy file. After checking the directory
permissions
of that particular file an open will be performed on '/proc/self/fd/0'
and a new
O_WRONLY file descriptor is being created.
As Martin Rex already explained yesterday, /proc is all virtual.
On 24.10.2009 10:47, Anton Ivanov wrote:
> Following your logic we should all abandon directory permissions and
> stick to file-only ones. Hmm... Dunno, probably the blood level in my
> coffee subsystem is too high this morning, but I do not quite relish
> that idea.
>
I didn't affirm that. I only told, that directory permissions can't in fact
restrict access to the file it contains, they can only hamper accessing that
file via that directory.
> -----Original Message-----
> From: nomail@nomail.com [mailto:nomail@nomail.com]
> Sent: Monday, October 26, 2009 9:15 AM
> To: bugtraq@securityfocus.com
> Subject: Re: Re: /proc filesystem allows bypassing directory
> permissions on Linux
>
> >> I do not think mounting /proc should change access control
> semantics.
> >>
> >It didn't in fact change anything. If the guest created
=============================================================================
FreeBSD-SA-09:17.freebsd-update Security Advisory
The FreeBSD Project
Topic: Inappropriate directory permissions in freebsd-update(8)
Category: core
Module: usr.sbin
Announced: 2009-12-03
Credits: KAMADA Ken'ichi
>> Mathematica on Linux uses the /tmp/MathLink directory in insecure ways.
>> Mathematica creates or re-uses an existing /tmp/MathLink directory, and
>> overwrites files within and follows symlinks. ...
>
> One quick fix here could be to change user permissions with chmod or
> add a new group where Mathematica in /tmp doesn't have permissions to
> anything under /home so then even if a user is compromised, the
> symlink won't work because the user doesn't have permissions. A root
> user here is an entirely different problem, here an attacker can
> symlink to any directory. So a new group to setup permissions for
> Jamie Lokier said:
>>>> a) the current permission model under /proc/PID/fd has a security
>>>> hole (which Jamie is worried about)
>>>
>>> I believe its bugtraq time. Being able to reopen file with additional
>>> permissions looks like a security problem...
>>>
>>> Jamie, do you have some test script? And do you want your 15 minutes
>>> of bugtraq fame? ;-).
>
>> The reopen does check the inode permission, but it does not require
1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
Attacker opens my_priv and waits.
>pavel@toy:/tmp/my_priv$ echo this file should never be writable > unwritable_file
># lock down directory
>pavel@toy:/tmp/my_priv$ chmod 700 .
># relax file permissions, directory is private, so this is safe
># check link count on unwritable_file. We would not want someone
># to have a hard link to work around our permissions, would we?
>pavel@toy:/tmp/my_priv$ chmod 666 unwritable_file
>pavel@toy:/tmp/my_priv$ cat unwritable_file
>this file should never be writable
Tony Finch <dot@dotat.at> wrote:
> According to POSIX, if you open the directory with O_SEARCH then openat()
> does not re-check search (+x) permissions.
My 2.6.26 kernel (or Debian lenny) does not seem to know about O_SEARCH.
But anyway... even if openat() does not re-check permissions, it should
surely fail when in fact it does not have permissions? Surely, directory
contents are not cached? Or, do you have an example (of a running OS)
where openat() succeeds without permissions?
2.1 Input passed via the "status" GET parameter to /admin/stats_monthly_sales.php is not properly sanitised before being used in SQL query. This can be exploited to alter SQL queries.
The vulnerability usage is limited to the "INTO FILE" clause. This vulnerability requires administrative privileges, however can be exploited via the CSRF technique. Remote attacker should make logged-in website administrator open the following URL (in hidden iframe for example):
http://[host]/admin/stats_monthly_sales.php?status=0 union select '<? php_code ?>' INTO OUTFILE '../../../path/to/site/file.php'
Depending on MySQL and PHP configurations, as well as file system permissions this PoC should create arbitrary PHP file within the web root.
2.2 Input passed via the "country" POST parameter to /admin/create_account_process.php is not properly sanitised before being used in SQL query. This can be exploited to alter SQL queries.
The vulnerability usage is limited to the "INTO FILE" clause. This vulnerability requires administrative privileges, however can be exploited via the CSRF technique. Remote attacker should make logged-in website administrator open the page with following html code:
Especially important: the last sentence!
Changing the access modes of a file descriptor is probably difficult
to implement. It may be feasible for file in the filesystem which
has an inode with access permissions which could be checked.
Doing it for a socket might be a bad idea -- and usually impossible,
one cannot undo the shutdown(SHUT_WR) of a socket...
>
1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
to root-owned symlinks in an insecure manner under certain conditions.
Normally, Postfix does not deliver mail to symlinks, except to
root-owned symlinks, for compatibility with the systems using symlinks
in /dev like Solaris. Furthermore, some systems like Linux allow to
hardlink a symlink, while the POSIX.1-2001 standard requires that the
symlink is followed. Depending on the write permissions and the
delivery agent being used, this can lead to an arbitrary local file
overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix
delivery agent does not properly verify the ownership of a mailbox
before delivering mail (CVE-2008-2937).
On Mon, Oct 26, 2009 at 12:14:36PM -0400, Stephen Harris wrote:
|| User1 creates file with permissions 0644
|| User2 opens file for read access on file descriptor 4
|| User1 chmod's directory to 0700
|| User1 chmod's file to 0666
|| User1 verifies no hard links to file
|| User2 can not open the file for read or write access
|| User2 can not write to file descriptor 4
|| User2 _can_ write to /proc/$$/fd/4
Next Page>>
|
