[colug-432] New root exploit code for CentOS

Neal Dias roman at ensecure.org
Tue May 14 15:16:25 EDT 2013 

Ok...so going on what you first posted:

">> Given a command prompt, download this exploit, compile it, run it... and
>> you suddenly have root.  What is interesting about this is, as soon as
you
>> have root, you can disable SELinux."

So you're saying that this exploit allows an attacker to not only obtain a
root shell but to also disable SELinux even if strict or MLS policy is
being enforced? Otherwise, with the Targeted policy, this is nothing new.

Been quite a while since I dug into SELinux, hope the memory is still good
here...

While you are correct, dependent upon the policy, SELinux can prevent
actions by root based on MAC, IIRC this requires MLS/MCS to be enabled and
the system completely labeled/relabeled as such. With the default Targeted
policy, root can both disable SElinux and set it into permissive mode.
Again, game over. Now, if you're running MLS/MCS, you may be correct, but
for most shops, getting them to run SELinux at all is like pulling teeth.
SELinux is not magical, it is nothing more than a MAC implementation. How
you configure your SELinux implementation is where the rubber meets the
road. For most, this is simply installing RHEL/CentOS with SELinux
enforcing default Targeted (if enabled at all). If I can get to a root
shell, there is nothing stopping me from disabling SELinux or setting it to
permissive when running the Targeted policy. SELinux's value is in
preventing an attacker from getting a root shell in the first place by
disallowing a process from accessing something outside of what has been
defined in policy, once you have a root shell, again, game over (again,
unless you're using MLS/MCS).

"MAC provides strong separation of applications that permits the safe
execution of untrustworthy applications. Its ability to limit the
privileges associated with executing processes limits the scope of
potential damage that can result from the exploitation of vulnerabilities
in applications and system services."
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Introduction.html#sect-Security-Enhanced_Linux-Introduction-Benefits_of_running_SELinux

In this case, the exploit has achieved a root shell; either SELinux was
circumvented or what was being exploited was not confined. In either case,
SELinux did not prevent the exploit and once root shell is obtained, by
design in Targeted, root can disable or change the SELinux configuration
from enforcing to permissive.

The fact that you get the root shell from this exploit tells me this not
interesting from the SELinux perspective, it is only interesting from that
perspective if the process exploited was confined by SELinux policy, or
root is confined by an MLS/MCS policy once the root shell is achieved.

-nd


On Tue, May 14, 2013 at 1:37 PM, Joshua Kramer <joskra42.list at gmail.com>wrote:

> "With the right profiles, a major selling point of SELinux (as "we" use
> it) is that it's *not* game over just because you got root."
>
> In theory it shouldn't be.  Running processes have contexts attached to
> them; this article I wrote a few years ago explains:
>
>
> http://www.packtpub.com/article/selinux-secured-web-hosting-python-based-web-applications
>
> Essentially, each running process has a context attached to it.  Even if
> the process elevates to root privilege (i.e. running a SUID executable,
> having exploit code such as we see here, etc.), the OS sees that the
> process has a certain context and denies permission for stuff it shouldn't
> have.  In the example I used in the article, a SUID root executable copies
> /etc/shadow when it is run from a website that has ostensibly been cracked.
>  When SELinux is disabled, this works.  When SELinux is enabled, the OS
> says, "Hey HTTPD, I don't care if you say you're root, you can't touch
> /etc/shadow!"  I never thought to attempt to set /selinux/enforcing to 0
> and then attempt that... but I'd hope that the OS would say, "Hey HTTPD, I
> don't care if you say you're root, you can't touch /selinux/enforcing!"
>
>
>
> On Tue, May 14, 2013 at 1:22 PM, Rick Troth <rmt at casita.net> wrote:
>
>> > Not sure what is interesting about the ability to disable SELinux; you
>> have root, game over.
>>
>> With the right profiles, a major selling point of SELinux (as "we" use
>> it) is that it's *not* game over just because you got root.  (There
>> are other features of SELinux which are more interesting to the NSA
>> than they are to you and me.)
>>
>> I'm not personally a fan, but I'm not using this as an opportunity to
>> jab at it ... or maybe I am.
>>
>> -- R; <><
>>
>>
>>
>>
>> On Tue, May 14, 2013 at 1:00 PM, Neal Dias <roman at ensecure.org> wrote:
>> > Not sure what is interesting about the ability to disable SELinux; you
>> have
>> > root, game over.
>> >
>> > RHEL 5 is not affected, RHEL 6 is, updated packages still in-process.
>> >
>> > https://access.redhat.com/security/cve/CVE-2013-2094
>> > https://bugzilla.redhat.com/show_bug.cgi?id=962792
>> >
>> > On Tue, May 14, 2013 at 12:33 PM, Joshua Kramer <
>> joskra42.list at gmail.com>
>> > wrote:
>> >>
>> >> Hello,
>> >>
>> >> I recently saw this:
>> >>
>> >>
>> https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59
>> >>
>> >> Given a command prompt, download this exploit, compile it, run it...
>> and
>> >> you suddenly have root.  What is interesting about this is, as soon as
>> you
>> >> have root, you can disable SELinux.
>> >>
>> >> Apparently it can be mitigated using this kernel module:
>> >>
>> >> http://elrepo.org/tiki/kmod-tpe
>> >>
>> >> I spun up a test VM and tested this - it works!  What would be
>> interesting
>> >> is doing some investigation to see if SELinux could prevent damage if
>> this
>> >> code was run from a malicious web app instead of the command prompt.
>> >>
>> >> Also, I wonder if this works on Scientific Linux and other RHEL
>> >> derivatives, or RHEL itself?
>> >>
>> >> Cheers,
>> >> -JK
>> >>
>> >> _______________________________________________
>> >> colug-432 mailing list
>> >> colug-432 at colug.net
>> >> http://lists.colug.net/mailman/listinfo/colug-432
>> >>
>> >
>> >
>> > _______________________________________________
>> > colug-432 mailing list
>> > colug-432 at colug.net
>> > http://lists.colug.net/mailman/listinfo/colug-432
>> >
>>
>>
>>
>> --
>> -- R;   <><
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>>
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20130514/39adf89b/attachment.html

More information about the colug-432 mailing list