From: Justin Cormack <justin@specialbusservice.com>
To: musl@lists.openwall.com
Cc: Rich Felker <dalias@libc.org>, busybox <busybox@busybox.net>
Subject: Re: Re: Busybox on musl is affected by CVE-2015-1817
Date: Wed, 1 Apr 2015 00:11:18 +0100 [thread overview]
Message-ID: <CAK4o1Wxc8cdz9w59KshLBbON9EA5N-YrZyaVyXD+AstBieTMMg@mail.gmail.com> (raw)
In-Reply-To: <CAK1hOcMx=dHSx0kjXVFciqcuY0k=VwqM0Xb2zcwec8SyPvRtfA@mail.gmail.com>
On 31 March 2015 at 20:07, Denys Vlasenko <vda.linux@googlemail.com> wrote:
> On Mon, Mar 30, 2015 at 7:31 AM, Rich Felker <dalias@libc.org> wrote:
>> For details on CVE-2015-1817, see:
>> http://www.openwall.com/lists/musl/2015/03/30/1
>>
>> With musl-linked Busybox installed setuid and ping enabled, exploiting
>> this issue is trivial.
>>
>> While CVE-2015-1817 is certainly musl's fault, there are two changes
>> to Busybox I'd like to propose that would have prevented it from being
>> exploitable:
>>
>> 1. Having setuid utilities like ping obtain the resource they need (in
>> the case of ping, SOCK_RAW) without processing user input at all,
>> then fully dropping root (setuid(getuid())) before doing anything.
>> This has been standard practice for setuid programs since the 90s
>> and it feels bad that busybox is not doing it.
>
> In general this is acceptable, but with this particular case
> and CVE, it wouldn't help.
>
> create_icmp_socket(lsa) needs to know of which address family
> the socket should be:
>
> if (lsa->u.sa.sa_family == AF_INET6)
> sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
> else
> sock = socket(AF_INET, SOCK_RAW, 1); /* 1 == ICMP */
>
> This is only known after HOST is parsed.
> And CVE is in DNS resolving code :(
One advantage if the traditional separation of ping and ping6.
>
>> 2. Reconsider the rejection of the patch to add SOCK_DGRAM support for
>> ping, which allows it to run without root.
>
> This seems to lead to a significantly larger code.
Slightly larger code or security holes. Is it really that much bigger?
Justin
next prev parent reply other threads:[~2015-03-31 23:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-30 5:31 Rich Felker
2015-03-31 19:07 ` Denys Vlasenko
2015-03-31 23:11 ` Justin Cormack [this message]
2015-03-31 23:51 ` Rich Felker
2015-03-31 23:48 ` Rich Felker
2015-04-01 7:41 ` u-wsnj
2015-04-01 7:52 ` Raphael Cohn
2015-04-01 8:11 ` Harald Becker
2015-04-01 8:49 ` u-wsnj
2015-04-02 13:56 ` Harald Becker
2015-04-02 17:26 ` Рысь
2015-04-02 18:16 ` Harald Becker
2015-04-03 4:40 ` Рысь
2015-04-04 5:35 ` Harald Becker
2015-04-02 18:36 ` u-wsnj
2015-04-03 4:51 ` Рысь
2015-04-03 10:31 ` [OT] setuid (Re: Busybox on musl is affected by CVE-2015-1817) u-wsnj
2015-04-02 15:38 ` Re: Busybox on musl is affected by CVE-2015-1817 Rich Felker
2015-04-02 18:02 ` u-wsnj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK4o1Wxc8cdz9w59KshLBbON9EA5N-YrZyaVyXD+AstBieTMMg@mail.gmail.com \
--to=justin@specialbusservice.com \
--cc=busybox@busybox.net \
--cc=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).