[9front] patch your shit

[9front] patch your shit

[hiro]

some people did something that increases security apparently. so patch
your shit.

ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
author: Jacob Moody <moody@posixcafe.org>
date: Sat Aug 24 12:58:31 EDT 2024

lib9p: verify uname against returned AuthInfo from factotum (thanks humm)

Before this it was possible to Tauth and Tattach with one
user name and then authenticate with factotum using a different
user name. To fix this we now ensure that the uname matches the returned
cuid from AuthInfo.

This security bug is still pending a cute mascot and theme song.


mein name ist hase. bye.

Re: [9front] patch your shit

[Willow Liquorice]

e https://9front.org/
/Only three remote holes in the default install, in a heck of a long time!/
s/three/four
w https://9front.org/

	- Willow

On 24/08/2024 20:08, hiro wrote:
> some people did something that increases security apparently. so patch
> your shit.
> 
> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
> author: Jacob Moody <moody@posixcafe.org>
> date: Sat Aug 24 12:58:31 EDT 2024
> 
> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
> 
> Before this it was possible to Tauth and Tattach with one
> user name and then authenticate with factotum using a different
> user name. To fix this we now ensure that the uname matches the returned
> cuid from AuthInfo.
> 
> This security bug is still pending a cute mascot and theme song.
> 
> 
> mein name ist hase. bye.

Re: [9front] patch your shit

[Jacob Moody]

hjfs is not the default install, our number of holes is fine.

On 8/24/24 15:15, Willow Liquorice wrote:
> e https://9front.org/
> /Only three remote holes in the default install, in a heck of a long time!/
> s/three/four
> w https://9front.org/
> 
> 	- Willow
> 
> On 24/08/2024 20:08, hiro wrote:
>> some people did something that increases security apparently. so patch
>> your shit.
>>
>> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
>> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
>> author: Jacob Moody <moody@posixcafe.org>
>> date: Sat Aug 24 12:58:31 EDT 2024
>>
>> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
>>
>> Before this it was possible to Tauth and Tattach with one
>> user name and then authenticate with factotum using a different
>> user name. To fix this we now ensure that the uname matches the returned
>> cuid from AuthInfo.
>>
>> This security bug is still pending a cute mascot and theme song.
>>
>>
>> mein name ist hase. bye.

Re: [9front] patch your shit

[adventures in9]

hjfs does have the "experimental" warning XD

On Sat, Aug 24, 2024 at 2:23 PM Jacob Moody <moody@posixcafe.org> wrote:
>
> hjfs is not the default install, our number of holes is fine.
>
> On 8/24/24 15:15, Willow Liquorice wrote:
> > e https://9front.org/
> > /Only three remote holes in the default install, in a heck of a long time!/
> > s/three/four
> > w https://9front.org/
> >
> >       - Willow
> >
> > On 24/08/2024 20:08, hiro wrote:
> >> some people did something that increases security apparently. so patch
> >> your shit.
> >>
> >> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
> >> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
> >> author: Jacob Moody <moody@posixcafe.org>
> >> date: Sat Aug 24 12:58:31 EDT 2024
> >>
> >> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
> >>
> >> Before this it was possible to Tauth and Tattach with one
> >> user name and then authenticate with factotum using a different
> >> user name. To fix this we now ensure that the uname matches the returned
> >> cuid from AuthInfo.
> >>
> >> This security bug is still pending a cute mascot and theme song.
> >>
> >>
> >> mein name ist hase. bye.
>

Re: [9front] patch your shit

[sl]

> hjfs is not the default install, our number of holes is fine.

there is no default file system.

that claim on the website prints a different random number
every time it's loaded.

sl

Re: [9front] patch your shit

[Willow Liquorice]

Shit you're right lol.

inb4 that claim confuses some cybersecurity org with way too much free time.

On 24/08/2024 22:37, sl@stanleylieber.com wrote:
>> hjfs is not the default install, our number of holes is fine.
> 
> there is no default file system.
> 
> that claim on the website prints a different random number
> every time it's loaded.
> 
> sl

Re: [9front] patch your shit

[Eli Cohen]

The ruler of the South is called Dissatisfaction. The ruler of the
North: Revolution. The ruler at the center of the world is Chaos.
Dissatisfaction and Revolution met from time to time in the territory
of Chaos, and Chaos treated them very hospitably. The two rulers
planned how to repay Chaos’s kindness. They said: ‘Men all have seven
holes to their bodies for seeing, hearing, eating and breathing. Our
friend here has none of these. Let us try to bore some holes in him.’
Each day they bored one hole. On the seventh day Chaos died.

On Sat, Aug 24, 2024 at 2:42 PM Willow Liquorice <willow@howhill.com> wrote:
>
> Shit you're right lol.
>
> inb4 that claim confuses some cybersecurity org with way too much free time.
>
> On 24/08/2024 22:37, sl@stanleylieber.com wrote:
> >> hjfs is not the default install, our number of holes is fine.
> >
> > there is no default file system.
> >
> > that claim on the website prints a different random number
> > every time it's loaded.
> >
> > sl

Re: [9front] patch your shit

[Jacob Moody]

!WARNING!

As of the time of this writing (Sat Aug 24 22:17:26 GMT 2024) there is an issue
with this patch which causes hjfs to not permit none attaches. This is currently
being worked on and I suspect we'll have a solution within the next couple hours
but those running a hjfs CPU server may want to avoid updating immediately.
I will respond promptly to this thread once this bug has been patched, and I feel
it is safe to update these systems. I will provide a further write up once there is
a fix for the fix added.

- moody

On 8/24/24 14:08, hiro wrote:
> some people did something that increases security apparently. so patch
> your shit.
> 
> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
> author: Jacob Moody <moody@posixcafe.org>
> date: Sat Aug 24 12:58:31 EDT 2024
> 
> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
> 
> Before this it was possible to Tauth and Tattach with one
> user name and then authenticate with factotum using a different
> user name. To fix this we now ensure that the uname matches the returned
> cuid from AuthInfo.
> 
> This security bug is still pending a cute mascot and theme song.
> 
> 
> mein name ist hase. bye.

Re: [9front] patch your shit

[Jacob Moody]

As of the time of this writing (Sun Aug 25 00:52:02 GMT 2024) the aforementioned
issue with the first patch has now been fixed thanks to cinap.
I can now suggest (and recommend) that individuals who are running hjfs systems update.
The update process is a bit more involved because the hjfs binary used for the root
file system on file servers is started from the paqfs.

This makes the full update process to be:
1. Update lib9p
2. Update hjfs
3. Update and install a new kernel for your system.

For an amd64 system this will look something like:
; cd /sys/src/lib9p && mk install
; cd /sys/src/cmd/hjfs && mk install
; cd /sys/src/9/pc64 && mk install
;
; # stash the known working kernel in case something goes awry...
; 9fs 9fat && cp /n/9/pc64 /n/9/pc64.bak
; cp /amd64/9pc64 /n/9/ && unmount /n/9 && unmount /n/9fat
; fshalt -r # reboot in to the new kernel

Now with the patches and update instructions out of the way,
I would like to talk more about the bug.

DESCRIPTION:

As the original commit message details, this is an issue where
lib9p did not verify that the user who was issuing the Tauth and
Rauth requests matched the one doing the authentication.
This effectively allows any user within the configured auth domain
to impersonate another user with some well placed 9p messages.

This could be abused in the following scenario:

* Alice is running a 9front hjfs file server and auth server combination, which allows 9p mounts over tcp/tls.
* Alice's hostowner for her server is 'alice'.
* Alice has previously created a user for Eve, who has limited access within the server.
* Eve creates a local install with a local user named 'alice'.
* While logged in to her local alice user, Eve fills her factotum with her valid 'eve' user for Alice's auth server.
* Eve, as her local 'alice', user mounts Alice's hjfs server.
* Due to this bug, Eve has now mounted Alice's hjfs as Alice's hostowner.

IMPACT:

This code was solely employed by hjfs and thus affects only hjfs.

- moody

On 8/24/24 17:18, Jacob Moody wrote:
> !WARNING!
> 
> As of the time of this writing (Sat Aug 24 22:17:26 GMT 2024) there is an issue
> with this patch which causes hjfs to not permit none attaches. This is currently
> being worked on and I suspect we'll have a solution within the next couple hours
> but those running a hjfs CPU server may want to avoid updating immediately.
> I will respond promptly to this thread once this bug has been patched, and I feel
> it is safe to update these systems. I will provide a further write up once there is
> a fix for the fix added.
> 
> - moody
> 
> On 8/24/24 14:08, hiro wrote:
>> some people did something that increases security apparently. so patch
>> your shit.
>>
>> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
>> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
>> author: Jacob Moody <moody@posixcafe.org>
>> date: Sat Aug 24 12:58:31 EDT 2024
>>
>> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
>>
>> Before this it was possible to Tauth and Tattach with one
>> user name and then authenticate with factotum using a different
>> user name. To fix this we now ensure that the uname matches the returned
>> cuid from AuthInfo.
>>
>> This security bug is still pending a cute mascot and theme song.
>>
>>
>> mein name ist hase. bye.
> 

Re: [9front] patch your shit

[rgl]

thanks for the detailed explanation moody!

fixing this right now…


-rodri

Re: [9front] patch your shit

[Kristo]

On August 24, 2024 7:08:42 PM UTC, hiro <23hiro@gmail.com> wrote:
>This security bug is still pending a cute mascot and theme song.

Don't forget the CVE identifier.

Re: [9front] patch your shit

[hiro]

that's misquoted. it's not my words, but out of a copy&pasted commit
message from moody.
sorry for my original error of including a better EOF marker (i used a
double-linebreak but clearly that wasn't clear enough).

On Sun, Aug 25, 2024 at 8:57 AM Kristo <kristo.ilmari@gmail.com> wrote:
>
> On August 24, 2024 7:08:42 PM UTC, hiro <23hiro@gmail.com> wrote:
> >This security bug is still pending a cute mascot and theme song.
>
> Don't forget the CVE identifier.