[colug-432] New root exploit code for CentOS

Neal Dias roman at ensecure.org
Tue May 14 15:40:38 EDT 2013


Rick,

Thanks for pointing that out...I'll admit I'm referring to the default
Targeted policy which is what most shops are running. As you note, "with
the right policies", that very, very few shops are running. And the OP
didn't note any distinction between whether it was a Targeted mode or
MLS/MCS, he just said you could disable SELinux. Even if you are running
Targeted (where everything without a policy is unconfined by default) and
have created policies to confine targeted processes, unless you've
implemented strict or MLS/MCS (where everything is confined by default), if
I can get to a root shell, game over.

-nd


On Tue, May 14, 2013 at 1:22 PM, Rick Troth <rmt at casita.net> wrote:

> > Not sure what is interesting about the ability to disable SELinux; you
> have root, game over.
>
> With the right profiles, a major selling point of SELinux (as "we" use
> it) is that it's *not* game over just because you got root.  (There
> are other features of SELinux which are more interesting to the NSA
> than they are to you and me.)
>
> I'm not personally a fan, but I'm not using this as an opportunity to
> jab at it ... or maybe I am.
>
> -- R; <><
>
>
>
>
> On Tue, May 14, 2013 at 1:00 PM, Neal Dias <roman at ensecure.org> wrote:
> > Not sure what is interesting about the ability to disable SELinux; you
> have
> > root, game over.
> >
> > RHEL 5 is not affected, RHEL 6 is, updated packages still in-process.
> >
> > https://access.redhat.com/security/cve/CVE-2013-2094
> > https://bugzilla.redhat.com/show_bug.cgi?id=962792
> >
> > On Tue, May 14, 2013 at 12:33 PM, Joshua Kramer <joskra42.list at gmail.com
> >
> > wrote:
> >>
> >> Hello,
> >>
> >> I recently saw this:
> >>
> >>
> https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59
> >>
> >> Given a command prompt, download this exploit, compile it, run it... and
> >> you suddenly have root.  What is interesting about this is, as soon as
> you
> >> have root, you can disable SELinux.
> >>
> >> Apparently it can be mitigated using this kernel module:
> >>
> >> http://elrepo.org/tiki/kmod-tpe
> >>
> >> I spun up a test VM and tested this - it works!  What would be
> interesting
> >> is doing some investigation to see if SELinux could prevent damage if
> this
> >> code was run from a malicious web app instead of the command prompt.
> >>
> >> Also, I wonder if this works on Scientific Linux and other RHEL
> >> derivatives, or RHEL itself?
> >>
> >> Cheers,
> >> -JK
> >>
> >> _______________________________________________
> >> colug-432 mailing list
> >> colug-432 at colug.net
> >> http://lists.colug.net/mailman/listinfo/colug-432
> >>
> >
> >
> > _______________________________________________
> > colug-432 mailing list
> > colug-432 at colug.net
> > http://lists.colug.net/mailman/listinfo/colug-432
> >
>
>
>
> --
> -- R;   <><
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20130514/e9ddbb6d/attachment-0001.html 


More information about the colug-432 mailing list