| 2011-10-18 00:31:30 |
Hayawardh Vijayakumar |
bug |
|
|
added bug |
| 2011-10-18 16:09:55 |
Hayawardh Vijayakumar |
description |
Dear All,
I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -
In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:
statusfile=/.autorelabel
...
lockfile=/var/lock/selinux-relabel
...
# Start only creates the lock
start() {
log_daemon_msg "Starting SELinux autorelabel"
if [ -e $statusfile ]; then
log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system."
log_end_msg 0
else
/usr/bin/touch $lockfile
log_end_msg 0
fi
}
As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.
Please let me know if further details are required.
Thanks,
Hayawardh Vijayakumar.
Details:
# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
# apt-cache policy selinux
Installed: 1:0.9
Candidate: 1:0.9
Version table:
*** 1:0.9 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/universe Packages
100 /var/lib/dpkg/status
To exploit:
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/selinux-relabel
When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create |
Dear All,
I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -
In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:
statusfile=/.autorelabel
...
lockfile=/var/lock/selinux-relabel
...
# Start only creates the lock
start() {
log_daemon_msg "Starting SELinux autorelabel"
if [ -e $statusfile ]; then
log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system."
log_end_msg 0
else
/usr/bin/touch $lockfile
log_end_msg 0
fi
}
As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.
Please let me know if further details are required.
Thanks,
Hayawardh Vijayakumar.
Details:
# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
# apt-cache policy selinux
Installed: 1:0.9
Candidate: 1:0.9
Version table:
*** 1:0.9 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/universe Packages
100 /var/lib/dpkg/status
To exploit:
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/selinux-relabel
When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create |
|
| 2011-10-21 21:41:10 |
Jamie Strandboge |
selinux (Ubuntu): importance |
Undecided |
Low |
|
| 2011-10-21 21:41:10 |
Jamie Strandboge |
selinux (Ubuntu): status |
New |
Triaged |
|
| 2011-10-22 04:12:56 |
Marc Deslauriers |
cve linked |
|
2011-3151 |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Lucid |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
bug task added |
|
selinux (Ubuntu Lucid) |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Precise |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
bug task added |
|
selinux (Ubuntu Precise) |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Natty |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
bug task added |
|
selinux (Ubuntu Natty) |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Hardy |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
bug task added |
|
selinux (Ubuntu Hardy) |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Oneiric |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
bug task added |
|
selinux (Ubuntu Oneiric) |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Maverick |
|
| 2011-10-22 13:40:30 |
Jamie Strandboge |
bug task added |
|
selinux (Ubuntu Maverick) |
|
| 2011-10-22 13:41:26 |
Jamie Strandboge |
selinux (Ubuntu Lucid): status |
New |
In Progress |
|
| 2011-10-22 13:41:26 |
Jamie Strandboge |
selinux (Ubuntu Lucid): importance |
Undecided |
Low |
|
| 2011-10-22 13:41:27 |
Jamie Strandboge |
selinux (Ubuntu Lucid): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2011-10-22 13:41:27 |
Jamie Strandboge |
selinux (Ubuntu Maverick): status |
New |
In Progress |
|
| 2011-10-22 13:41:28 |
Jamie Strandboge |
selinux (Ubuntu Maverick): importance |
Undecided |
Low |
|
| 2011-10-22 13:41:28 |
Jamie Strandboge |
selinux (Ubuntu Maverick): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2011-10-22 13:41:30 |
Jamie Strandboge |
selinux (Ubuntu Natty): status |
New |
In Progress |
|
| 2011-10-22 13:41:30 |
Jamie Strandboge |
selinux (Ubuntu Natty): importance |
Undecided |
Low |
|
| 2011-10-22 13:41:31 |
Jamie Strandboge |
selinux (Ubuntu Natty): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2011-10-22 13:41:31 |
Jamie Strandboge |
selinux (Ubuntu Oneiric): status |
New |
In Progress |
|
| 2011-10-22 13:41:32 |
Jamie Strandboge |
selinux (Ubuntu Oneiric): importance |
Undecided |
Low |
|
| 2011-10-22 13:41:33 |
Jamie Strandboge |
selinux (Ubuntu Oneiric): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2011-10-22 13:41:33 |
Jamie Strandboge |
selinux (Ubuntu Precise): status |
Triaged |
In Progress |
|
| 2011-10-22 13:41:34 |
Jamie Strandboge |
selinux (Ubuntu Precise): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2011-10-22 13:41:35 |
Jamie Strandboge |
selinux (Ubuntu Hardy): status |
New |
In Progress |
|
| 2011-10-22 13:41:35 |
Jamie Strandboge |
selinux (Ubuntu Hardy): importance |
Undecided |
Low |
|
| 2011-10-22 13:41:36 |
Jamie Strandboge |
selinux (Ubuntu Hardy): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2011-10-22 13:43:36 |
Jamie Strandboge |
attachment added |
|
selinux_0.9ubuntu0.11.10.1.debdiff https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/876994/+attachment/2566358/+files/selinux_0.9ubuntu0.11.10.1.debdiff |
|
| 2011-10-26 23:18:15 |
Hayawardh Vijayakumar |
description |
Dear All,
I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -
In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:
statusfile=/.autorelabel
...
lockfile=/var/lock/selinux-relabel
...
# Start only creates the lock
start() {
log_daemon_msg "Starting SELinux autorelabel"
if [ -e $statusfile ]; then
log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system."
log_end_msg 0
else
/usr/bin/touch $lockfile
log_end_msg 0
fi
}
As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.
Please let me know if further details are required.
Thanks,
Hayawardh Vijayakumar.
Details:
# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
# apt-cache policy selinux
Installed: 1:0.9
Candidate: 1:0.9
Version table:
*** 1:0.9 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/universe Packages
100 /var/lib/dpkg/status
To exploit:
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/selinux-relabel
When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create |
Dear All,
I think there might be a problem with the startup script /etc/init.d/selinux that allows an unprivileged user to create a file in any directory. I am copying a message I sent to Jamie Strandboge -
In my Ubuntu 11.10 (Oneiric), the script /etc/init.d/selinux contains:
statusfile=/.autorelabel
...
lockfile=/var/lock/selinux-relabel
...
# Start only creates the lock
start() {
log_daemon_msg "Starting SELinux autorelabel"
if [ -e $statusfile ]; then
log_warning_msg "A relabel has already been requested. Please reboot to finish relabeling your system."
log_end_msg 0
else
/usr/bin/touch $lockfile
log_end_msg 0
fi
}
As /var/lock is world writable, a user could presumably create a file in any location by making this a symlink. Admittedly, /var/lock does not persist across reboots (tmpfs), and once selinux-relabel has been created by root it cannot be changed, but if the administrator for example restarts the daemon, in this gap, the user could create the file. I confirmed this to be the case on my machine. Or, if selinux is installed for the first time, then too shall a link be followed if it is pre-created.
Please let me know if further details are required.
Thanks,
Hayawardh Vijayakumar.
Details:
# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
# apt-cache policy selinux
Installed: 1:0.9
Candidate: 1:0.9
Version table:
*** 1:0.9 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/universe Packages
100 /var/lib/dpkg/status
To exploit:
When SELinux is not installed or the autorelabel daemon is stopped through e.g., /etc/init.d/selinux stop
unpriv-user$ ln -s /etc/file_to_create /var/lock/selinux-relabel
When /etc/init.d/selinux start happens,
# ls -l /etc/file_to_create
-rw-r--r--. 1 root root 0 2011-10-17 20:29 /etc/file_to_create
EDIT: This was run under a kernel.org kernel that did not have yama installed. As Marc notes, under default yama configuration, this attack shall be blocked by the system due to yama (Maverick upwards). |
|
| 2011-12-21 17:22:52 |
Jamie Strandboge |
selinux (Ubuntu Maverick): status |
In Progress |
Invalid |
|
| 2011-12-21 17:22:54 |
Jamie Strandboge |
selinux (Ubuntu Natty): status |
In Progress |
Invalid |
|
| 2011-12-21 17:22:54 |
Jamie Strandboge |
selinux (Ubuntu Oneiric): status |
In Progress |
Invalid |
|
| 2011-12-21 17:22:55 |
Jamie Strandboge |
selinux (Ubuntu Precise): status |
In Progress |
Invalid |
|
| 2011-12-21 18:29:43 |
Jamie Strandboge |
attachment removed |
selinux_0.9ubuntu0.11.10.1.debdiff https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/876994/+attachment/2566358/+files/selinux_0.9ubuntu0.11.10.1.debdiff |
|
|
| 2011-12-21 18:30:12 |
Launchpad Janitor |
selinux (Ubuntu Precise): status |
Invalid |
Fix Released |
|
| 2011-12-21 18:36:22 |
Jamie Strandboge |
attachment added |
|
selinux_0.10~10.04.1.debdiff https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/876994/+attachment/2642973/+files/selinux_0.10%7E10.04.1.debdiff |
|
| 2011-12-21 18:36:51 |
Jamie Strandboge |
selinux (Ubuntu Maverick): status |
Invalid |
Fix Committed |
|
| 2011-12-21 18:36:53 |
Jamie Strandboge |
selinux (Ubuntu Natty): status |
Invalid |
Fix Committed |
|
| 2011-12-21 18:36:55 |
Jamie Strandboge |
selinux (Ubuntu Oneiric): status |
Invalid |
Fix Committed |
|
| 2011-12-21 18:36:57 |
Jamie Strandboge |
selinux (Ubuntu Lucid): status |
In Progress |
Fix Committed |
|
| 2011-12-21 18:36:59 |
Jamie Strandboge |
selinux (Ubuntu Hardy): status |
In Progress |
Fix Committed |
|
| 2011-12-21 18:37:04 |
Jamie Strandboge |
visibility |
private |
public |
|
| 2011-12-21 18:44:27 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/selinux |
|
| 2012-01-04 00:03:35 |
Launchpad Janitor |
selinux (Ubuntu Oneiric): status |
Fix Committed |
Fix Released |
|
| 2012-01-04 00:03:35 |
Launchpad Janitor |
selinux (Ubuntu Natty): status |
Fix Committed |
Fix Released |
|
| 2012-01-04 00:03:35 |
Launchpad Janitor |
selinux (Ubuntu Maverick): status |
Fix Committed |
Fix Released |
|
| 2012-01-04 00:03:35 |
Launchpad Janitor |
selinux (Ubuntu Lucid): status |
Fix Committed |
Fix Released |
|
| 2012-01-04 00:03:35 |
Launchpad Janitor |
selinux (Ubuntu Hardy): status |
Fix Committed |
Fix Released |
|
| 2012-01-04 00:11:22 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/maverick-security/selinux |
|
| 2012-01-04 00:11:24 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/oneiric-security/selinux |
|
| 2012-01-04 00:11:25 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/hardy-security/selinux |
|
| 2012-01-04 00:11:47 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/natty-security/selinux |
|
| 2012-01-04 00:11:49 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-security/selinux |
|
