blob: 9a50f7e08dc6a8c4bbc07e2e902666a98d8c915a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Description: setuid program that exec's can coredump in dir not writable by caller; priv-esc possible
References:
https://www.openwall.com/lists/oss-security/2021/10/20/2
https://bugzilla.redhat.com/show_bug.cgi?id=2015046
https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com
https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com
https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/
Notes:
bwh> The PoC exploits logrotate's lax parsing of configuration files
bwh> to inject commands via the coredump, but I think generally we
bwh> should assume that bypassing write-protection in any way can
bwh> lead to privilege escalation.
bwh> sudo is an important part of the PoC and should disable core-
bwh> dumps by default.
bwh> It's less clear what should be done in the kernel; possibly
bwh> some resource limits should be reset on exec of a setuid
bwh> program - see
bwh> https://lore.kernel.org/linux-api/87fso91n0v.fsf_-_@email.froward.int.ebiederm.org/
Bugs:
upstream: needed
5.10-upstream-stable: needed
4.19-upstream-stable: needed
4.9-upstream-stable: needed
sid: needed
5.10-bullseye-security: needed
4.19-buster-security: needed
4.9-stretch-security: ignored "EOL"
|
