[colug-432] New root exploit code for CentOS

Joshua Kramer joskra42.list at gmail.com
Tue May 14 17:18:59 EDT 2013


With some quick experimentation and a suid root C program run from a Python
WSGI script (under httpd) I have not been able to deactivate selinux via a
call to /sbin/setenforce.  However, I was also unable to copy /etc/shadow
to a httpd-owned and writable directory using the same C program.


On Tue, May 14, 2013 at 3:40 PM, Neal Dias <roman at ensecure.org> wrote:

> Rick,
>
> Thanks for pointing that out...I'll admit I'm referring to the default
> Targeted policy which is what most shops are running. As you note, "with
> the right policies", that very, very few shops are running. And the OP
> didn't note any distinction between whether it was a Targeted mode or
> MLS/MCS, he just said you could disable SELinux. Even if you are running
> Targeted (where everything without a policy is unconfined by default) and
> have created policies to confine targeted processes, unless you've
> implemented strict or MLS/MCS (where everything is confined by default), if
> I can get to a root shell, game over.
>
> -nd
>
>
> On Tue, May 14, 2013 at 1:22 PM, Rick Troth <rmt at casita.net> wrote:
>
>> > Not sure what is interesting about the ability to disable SELinux; you
>> have root, game over.
>>
>> With the right profiles, a major selling point of SELinux (as "we" use
>> it) is that it's *not* game over just because you got root.  (There
>> are other features of SELinux which are more interesting to the NSA
>> than they are to you and me.)
>>
>> I'm not personally a fan, but I'm not using this as an opportunity to
>> jab at it ... or maybe I am.
>>
>> -- R; <><
>>
>>
>>
>>
>> On Tue, May 14, 2013 at 1:00 PM, Neal Dias <roman at ensecure.org> wrote:
>> > Not sure what is interesting about the ability to disable SELinux; you
>> have
>> > root, game over.
>> >
>> > RHEL 5 is not affected, RHEL 6 is, updated packages still in-process.
>> >
>> > https://access.redhat.com/security/cve/CVE-2013-2094
>> > https://bugzilla.redhat.com/show_bug.cgi?id=962792
>> >
>> > On Tue, May 14, 2013 at 12:33 PM, Joshua Kramer <
>> joskra42.list at gmail.com>
>> > wrote:
>> >>
>> >> Hello,
>> >>
>> >> I recently saw this:
>> >>
>> >>
>> https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59
>> >>
>> >> Given a command prompt, download this exploit, compile it, run it...
>> and
>> >> you suddenly have root.  What is interesting about this is, as soon as
>> you
>> >> have root, you can disable SELinux.
>> >>
>> >> Apparently it can be mitigated using this kernel module:
>> >>
>> >> http://elrepo.org/tiki/kmod-tpe
>> >>
>> >> I spun up a test VM and tested this - it works!  What would be
>> interesting
>> >> is doing some investigation to see if SELinux could prevent damage if
>> this
>> >> code was run from a malicious web app instead of the command prompt.
>> >>
>> >> Also, I wonder if this works on Scientific Linux and other RHEL
>> >> derivatives, or RHEL itself?
>> >>
>> >> Cheers,
>> >> -JK
>> >>
>> >> _______________________________________________
>> >> colug-432 mailing list
>> >> colug-432 at colug.net
>> >> http://lists.colug.net/mailman/listinfo/colug-432
>> >>
>> >
>> >
>> > _______________________________________________
>> > colug-432 mailing list
>> > colug-432 at colug.net
>> > http://lists.colug.net/mailman/listinfo/colug-432
>> >
>>
>>
>>
>> --
>> -- R;   <><
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>>
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20130514/f9ee3d41/attachment.html 


More information about the colug-432 mailing list