[colug-432] New root exploit code for CentOS

Jon Miller jonebird at gmail.com
Tue May 14 13:50:39 EDT 2013


Can you use selinux to restrict root from disabling selinux? Disabling
selinux was what I was thinking when Neil suggest it was "game over".

-- Jon


On Tue, May 14, 2013 at 10:37 AM, Joshua Kramer <joskra42.list at gmail.com>wrote:

> "With the right profiles, a major selling point of SELinux (as "we" use
> it) is that it's *not* game over just because you got root."
>
>  In theory it shouldn't be.  Running processes have contexts attached to
> them; this article I wrote a few years ago explains:
>
>
> http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications
>
> Essentially, each running process has a context attached to it.  Even if
> the process elevates to root privilege (i.e. running a SUID executable,
> having exploit code such as we see here, etc.), the OS sees that the
> process has a certain context and denies permission for stuff it shouldn't
> have.  In the example I used in the article, a SUID root executable copies
> /etc/shadow when it is run from a website that has ostensibly been cracked.
>  When SELinux is disabled, this works.  When SELinux is enabled, the OS
> says, "Hey HTTPD, I don't care if you say you're root, you can't touch
> /etc/shadow!"  I never thought to attempt to set /selinux/enforcing to 0
> and then attempt that... but I'd hope that the OS would say, "Hey HTTPD, I
> don't care if you say you're root, you can't touch /selinux/enforcing!"
>
>
>
> On Tue, May 14, 2013 at 1:22 PM, Rick Troth <rmt at casita.net> wrote:
>
>> > Not sure what is interesting about the ability to disable SELinux; you
>> have root, game over.
>>
>> With the right profiles, a major selling point of SELinux (as "we" use
>> it) is that it's *not* game over just because you got root.  (There
>> are other features of SELinux which are more interesting to the NSA
>> than they are to you and me.)
>>
>> I'm not personally a fan, but I'm not using this as an opportunity to
>> jab at it ... or maybe I am.
>>
>> -- R; <><
>>
>>
>>
>>
>> On Tue, May 14, 2013 at 1:00 PM, Neal Dias <roman at ensecure.org> wrote:
>> > Not sure what is interesting about the ability to disable SELinux; you
>> have
>> > root, game over.
>> >
>> > RHEL 5 is not affected, RHEL 6 is, updated packages still in-process.
>> >
>> > https://access.redhat.com/security/cve/CVE-2013-2094
>> > https://bugzilla.redhat.com/show_bug.cgi?id=962792
>> >
>> > On Tue, May 14, 2013 at 12:33 PM, Joshua Kramer <
>> joskra42.list at gmail.com>
>> > wrote:
>> >>
>> >> Hello,
>> >>
>> >> I recently saw this:
>> >>
>> >>
>> https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59
>> >>
>> >> Given a command prompt, download this exploit, compile it, run it...
>> and
>> >> you suddenly have root.  What is interesting about this is, as soon as
>> you
>> >> have root, you can disable SELinux.
>> >>
>> >> Apparently it can be mitigated using this kernel module:
>> >>
>> >> http://elrepo.org/tiki/kmod-tpe
>> >>
>> >> I spun up a test VM and tested this - it works!  What would be
>> interesting
>> >> is doing some investigation to see if SELinux could prevent damage if
>> this
>> >> code was run from a malicious web app instead of the command prompt.
>> >>
>> >> Also, I wonder if this works on Scientific Linux and other RHEL
>> >> derivatives, or RHEL itself?
>> >>
>> >> Cheers,
>> >> -JK
>> >>
>> >> _______________________________________________
>> >> colug-432 mailing list
>> >> colug-432 at colug.net
>> >> http://lists.colug.net/mailman/listinfo/colug-432
>> >>
>> >
>> >
>> > _______________________________________________
>> > colug-432 mailing list
>> > colug-432 at colug.net
>> > http://lists.colug.net/mailman/listinfo/colug-432
>> >
>>
>>
>>
>> --
>> -- R;   <><
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>>
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20130514/ea808038/attachment.html 


More information about the colug-432 mailing list