Security
Another Linux capabilities hole found
A recent patch posted to the linux-kernel mailing list fixes a long-standing flaw in the Linux capabilities implementation. The problem has existed since capabilities were added to the kernel during the 2.1 development series—more than ten years ago. One of the obvious questions is how a bug of that sort could have escaped notice for so long.
The problem was reported in March by Igor Zhbanov, who provided an excellent analysis of the flaw and how it can be exploited. The basic problem lives in the VFS and NFS code which tries to drop privileges, by way of capabilities, before performing operations. The mask of capabilities bits that was used for that purpose does not include CAP_MKNOD (the ability to make a device node entry) or CAP_LINUX_IMMUTABLE (which allows changing the S_APPEND and S_IMMUTABLE file attributes). That means that those capabilities bits are not removed before the file operation is performed.
Zhabanov shows that on a compromised client machine, the root user could give another user CAP_MKNOD, which would allow that user to run the mknod command and create a device entry owned by them. If this was done on an NFS-mounted filesystem, that entry would be created on the server still owned by the user. This works even if the root_squash option—essentially mapping root users on client machines to "nobody" on the server machine—was used on the export.
If the user on the compromised machine can execute code on the server or any other client, they can directly access the device that underlies the device node entry. They will not require any special permissions on the other machines because the device node is owned by them. For example, creating the equivalent of /dev/hda on the server's filesystem might allow direct access to the hard disk block device on any system that had the NFS filesystem mounted. Uglier exploits can certainly be imagined.
This is clearly a nasty problem. Linus Torvalds merged the fix for the recently released 2.6.30-rc2 kernel. One would guess the -stable tree folks won't be too far behind. Serge Hallyn also provided patches for 2.4 and 2.2 kernels, though the latter has become completely unsupported.
The patch was greeted with a question from
Valdis Kletnieks: "Wow. How did this manage to stay un-noticed for
this long?
" Torvalds had a characteristically blunt answer: "Because nobody uses
capabilities?
" While that might explain how the bug went undetected
for so long, it doesn't help alleviate the problem. Whether folks are using
capabilities or not is irrelevant, the kernel itself certainly is.
This is not the first time capabilities have been the source of a nasty, exploitable hole. The unfortunately-named "sendmail-capabilities bug" provided a way to gain root privileges by exploiting the way sendmail dropped its privileges. The solution, when this bug was found in 2000, was to "cripple" capabilities in the kernel by disabling capability inheritance. That functionality was not restored until relatively recently.
If distributions and other users were doing more with capabilities, it does seem likely that this particular problem would have been seen sometime in the last decade. But, by and large, Torvalds is right. For one thing, capabilities are a Linux-specific feature, so anyone writing portable code is likely to avoid using them. In addition, they are fairly difficult to wrap your head around; that complexity tends to lead folks to ignore capabilities.
There have been some efforts at using capabilities in distributions more, but one has to wonder how many more exploits still lurk in that code. It is hard to imagine removing capabilities at this late date—it is a user-space interface from the kernel after all—but some must be wondering if the feature is worth all the trouble it has caused.
New vulnerabilities
clamav: denial of service
| Package(s): | clamav | CVE #(s): | |||||
| Created: | April 14, 2009 | Updated: | April 15, 2009 | ||||
| Description: | From the Ubuntu advisory: It was discovered that ClamAV did not properly verify buffers when processing Upack files. A remote attacker could send a crafted file and cause a denial of service via application crash. | ||||||
| Alerts: |
| ||||||
ghostscript: overflows and underflows
| Package(s): | ghostscript | CVE #(s): | CVE-2007-6725 CVE-2008-6679 CVE-2009-0196 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 15, 2009 | Updated: | August 2, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Ghostscript contains a buffer underflow in the CCITTFax decoder (CVE-2007-6725), a buffer overflow in the BaseFont writer module (CVE-2008-6679) and a buffer overflow in the jbig2dec library (CVE-2009-0196). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ghostscript: integer overflows
| Package(s): | ghostscript | CVE #(s): | CVE-2009-0792 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 9, 2009 | Updated: | August 2, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Ghostscript has multiple integer overflows. The The National Vulnerability Database entry states: Multiple integer overflows in icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allow context-dependent attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly execute arbitrary code by using a device file for a translation request that operates on a crafted image file and targets a certain "native color space," related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. NOTE: this issue exists because of an incomplete fix for CVE-2009-0583. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
imp4: cross-site scripting
| Package(s): | imp4 | CVE #(s): | CVE-2009-0930 | ||||||||||||
| Created: | April 13, 2009 | Updated: | April 1, 2010 | ||||||||||||
| Description: | From the Debian advisory: It was discovered that imp4 is prone to several cross-site scripting (XSS) attacks via several vectors in the mail code allowing attackers to inject arbitrary HTML code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mod_perl: cross-site scripting
| Package(s): | mod_perl | CVE #(s): | CVE-2009-0796 | ||||||||
| Created: | April 13, 2009 | Updated: | December 9, 2009 | ||||||||
| Description: | From the Mandriva advisory: Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attackers to inject arbitrary web script or HTML via the URI (CVE-2009-0796). | ||||||||||
| Alerts: |
| ||||||||||
ntop: world-writable log file
| Package(s): | ntop | CVE #(s): | |||||
| Created: | April 14, 2009 | Updated: | April 15, 2009 | ||||
| Description: | /var/log/ntop/access.log is world writeable if the --access-log-file option is used. | ||||||
| Alerts: |
| ||||||
ntp: arbitrary code execution
| Package(s): | ntp | CVE #(s): | CVE-2009-0159 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 14, 2009 | Updated: | December 9, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Requesting peer information from a malicious remote time server may lead to an unexpected application termination or arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openafs: multiple vulnerabilities
| Package(s): | openafs | CVE #(s): | CVE-2009-1250 CVE-2009-1251 | ||||||||||||||||||||
| Created: | April 13, 2009 | Updated: | January 17, 2011 | ||||||||||||||||||||
| Description: | From the Debian advisory: An attacker with control of a file server or the ability to forge RX packets may be able to execute arbitrary code in kernel mode on an OpenAFS client, due to a vulnerability in XDR array decoding. (CVE-2009-1251) An attacker with control of a file server or the ability to forge RX packets may crash OpenAFS clients because of wrongly handled error return codes in the kernel module. (CVE-2009-1250). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
php: denial of service
| Package(s): | php | CVE #(s): | CVE-2009-1271 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2009 | Updated: | January 6, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: The JSON_parser function (ext/jso/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API function. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
pptp: file permission problem
| Package(s): | pptp | CVE #(s): | |||||
| Created: | April 9, 2009 | Updated: | April 15, 2009 | ||||
| Description: | pptp has a file permission problem. From the Fedora 10 alert: This update corrects the behaviour of pptpsetup when its --delete option is used, retaining the permissions of /etc/ppp/chap-secrets rather than creating a new file that is likely to be world-readable. If you have previously used the --delete option of pptpsetup, you should reset the permissions of /etc/ppp/chap- secrets to their default value of 0600 unless you have good reasons to use another value: # chmod 600 /etc/ppp/chap-secrets. | ||||||
| Alerts: |
| ||||||
seamonkey: XSL Transformation vulnerability
| Package(s): | seamonkey | CVE #(s): | |||||
| Created: | April 14, 2009 | Updated: | April 15, 2009 | ||||
| Description: | See Security Advisories for SeaMonkey 1.1: SeaMonkey 1.1.16 fixes an XSL Transformation vulnerability. | ||||||
| Alerts: |
| ||||||
tor: multiple vulnerabilities
| Package(s): | tor | CVE #(s): | CVE-2008-5397 CVE-2008-5398 CVE-2009-0414 CVE-2009-0939 CVE-2009-0936 CVE-2009-0937 CVE-2009-0938 | ||||
| Created: | April 9, 2009 | Updated: | April 15, 2009 | ||||
| Description: | Tor has a number of vulnerabilities. From the Gentoo alert:
* Theo de Raadt reported that the application does not properly drop privileges to the primary groups of the user specified via the "User" configuration option (CVE-2008-5397). * rovv reported that the "ClientDNSRejectInternalAddresses" configuration option is not always enforced (CVE-2008-5398). * Ilja van Sprundel reported a heap-corruption vulnerability that might be remotely triggerable on some platforms (CVE-2009-0414). * It has been reported that incomplete IPv4 addresses are treated as valid, violating the specification (CVE-2009-0939). * Three unspecified vulnerabilities have also been reported (CVE-2009-0936, CVE-2009-0937, CVE-2009-0938). | ||||||
| Alerts: |
| ||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-1210 CVE-2009-1268 CVE-2009-1269 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2009 | Updated: | December 7, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
The PROFINET dissector was vulnerable to a format string overflow (CVE-2009-1210). The Check Point High-Availability Protocol (CPHAP) dissecto could crash (CVE-2009-1268). Wireshark could crash while loading a Tektronix .rf5 file (CVE-2009-1269). | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
wordpress-mu: cross-site scripting vulnerability
| Package(s): | wordpress-mu | CVE #(s): | CVE-2009-1030 | ||||||||
| Created: | April 9, 2009 | Updated: | August 18, 2009 | ||||||||
| Description: | From the National Vulnerability Database entry: Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header. | ||||||||||
| Alerts: |
| ||||||||||
xine-lib: integer overflow
| Package(s): | xine-lib | CVE #(s): | CVE-2009-1274 | ||||||||||||||||||||||||||||||||
| Created: | April 9, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database entry: Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>