From owner-freebsd-security@FreeBSD.ORG Sun Dec 25 05:14:45 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 968181065673; Sun, 25 Dec 2011 05:14:45 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 05B248FC15; Sun, 25 Dec 2011 05:14:44 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so9043619obb.13 for ; Sat, 24 Dec 2011 21:14:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=OL5oU3XV/gP5p11T6m90tuftfIrLjmuzXVT/Mo8KpMI=; b=rTp/KxEAp2aJSqsX6CxHpPP9nJX4dguH2Mb0PSB5cXnhjhlhPTpBtU6SG4k1B2NuFK 9rktOazXm1Wu9m0u4RZDtVqoTygxkLakCiSb9UFUaOMKHrMQS/ZgQntngTR60S8N2Yfu K4i5cSNYJ1Kg7khmKE1g9IaxP2ecjhKqP2uM0= MIME-Version: 1.0 Received: by 10.182.15.104 with SMTP id w8mr18185788obc.20.1324790084161; Sat, 24 Dec 2011 21:14:44 -0800 (PST) Received: by 10.182.67.163 with HTTP; Sat, 24 Dec 2011 21:14:44 -0800 (PST) In-Reply-To: <4EF6444F.6090708@FreeBSD.org> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112231058.46642.jhb@freebsd.org> <201112231122.34436.jhb@freebsd.org> <20111223120644.75fe944d@kan.dyndns.org> <20111223175143.GJ50300@deviant.kiev.zoral.com.ua> <20111224100509.GA98136@vniz.net> <20111224103948.GA10939@vniz.net> <20111224105045.GA11127@vniz.net> <8E5EE6FA-7BA1-4590-843A-F5C3C0493E5B@FreeBSD.org> <4EF6444F.6090708@FreeBSD.org> Date: Sat, 24 Dec 2011 21:14:44 -0800 Message-ID: From: Xin LI To: Doug Barton Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Dec 2011 05:14:45 -0000 Hi, Doug, On Sat, Dec 24, 2011 at 1:29 PM, Doug Barton wrote: > On 12/24/2011 12:46, Xin LI wrote: >> Won't work because the binary might be run by privileged but chroot >> user. =C2=A0Again, this is the first proposal that we have considered. > > Now that the cat is out of the bag, and a fix is available, might it not > make sense to summarize the private discussions about this issue > somewhere, and brainstorm about a better solution? I'd suggest -hackers, > or perhaps -security as good public lists to do this on. > > A quick writeup along the lines of, "Here are the ideas we considered, > and here is why we rejected them" would jump-start the discussion, and > perhaps ease the frustration of the people who are just now looking at > this and scratching their heads. > > I understand why the previous discussion was undertaken privately, but > there is no need to continue the secrecy any longer. Here are the ideas we have came with patches and get dropped for some reason (not solving all problems, cause incompatibility issue, etc): a) Have dynamic linker check permissions (w^x policy) on shared library when program was setuid; b) Have nsdispatch(3) check permissions on configuration files; c) Have a dlopen(3) wrapper that have a flag that allows caller to say "this is security sensitive and don't load libraries that have suspicious permissions" d) Completely disable nsdispatch reload feature; e) The current version; f) The current version but with a wrapper around chroot(2) that disables all libc dlopen(3) calls; g) The current version with libc_dlopen(3) exposed as a new API as well and/or have the ugly API exposed in FBSD_1.2 namespace. This is primarily trivial cleanup changes and both were denied. Requirement were: - Must not break existing and legitimate use of chroot(2), in other words no semantics change permitted. - Must fix the ftpd(8) issue itself since it's already public. - Must not break anything other than the attack, e.g. require additional steps other than patching. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die From owner-freebsd-security@FreeBSD.ORG Sun Dec 25 10:16:17 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7249106566C for ; Sun, 25 Dec 2011 10:16:17 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 1FF5E8FC0A for ; Sun, 25 Dec 2011 10:16:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBPA4xMi034616; Sun, 25 Dec 2011 14:04:59 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBPA4xYS034615; Sun, 25 Dec 2011 14:04:59 +0400 (MSK) (envelope-from ache) Date: Sun, 25 Dec 2011 14:04:58 +0400 From: Andrey Chernov To: Xin LI Message-ID: <20111225100458.GA33652@vniz.net> Mail-Followup-To: Andrey Chernov , Xin LI , Doug Barton , freebsd-security@FreeBSD.ORG References: <20111223175143.GJ50300@deviant.kiev.zoral.com.ua> <20111224100509.GA98136@vniz.net> <20111224103948.GA10939@vniz.net> <20111224105045.GA11127@vniz.net> <8E5EE6FA-7BA1-4590-843A-F5C3C0493E5B@FreeBSD.org> <4EF6444F.6090708@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Dec 2011 10:16:17 -0000 On Sat, Dec 24, 2011 at 09:14:44PM -0800, Xin LI wrote: > - Must not break existing and legitimate use of chroot(2), in other > words no semantics change permitted. Later POSIX drops chroot() completely, so we can feel free of bound of the strong legitimacy. We already have many counterexamples (mainly related to issetugid()). F.e. we disable user locale files - disable functionality. IMHO stopping thinking the way that chroot() is fully equivalent to the root hierarchy will be good starting point here. -- http://ache.vniz.net/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 26 05:27:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 121B4106566C for ; Mon, 26 Dec 2011 05:27:37 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id E9B9D8FC18 for ; Mon, 26 Dec 2011 05:27:36 +0000 (UTC) Received: from delta.delphij.net (c-76-102-50-245.hsd1.ca.comcast.net [76.102.50.245]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 9CD84145FB; Sun, 25 Dec 2011 21:27:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1324877256; bh=rlJiZo+eEX7jnv8oljXJzj47m7MRJHDayiNMs6IVOyI=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=DDnz5iFpmqVoaCxeb8Y5cjnavcojPF6K93EYnI1wPwMi2mSIpNs0PifxjDHBI02ht 0VwZAcdByyy8WWBA1ZWklskVfvTcHQ5Ym6g0H91PCDuIdXN8AO39ooapmBhYGuKS8y 1BCrjXRuWKix/eY0JANlFzxIDC6vH7CkhdEiM25E= Message-ID: <4EF805C7.1020909@delphij.net> Date: Sun, 25 Dec 2011 21:27:35 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Dewayne Geraghty References: <201112231536.pBNFadWk078864@freefall.freebsd.org> <14084D15E2C949D5ACD68E678F704286@white> In-Reply-To: <14084D15E2C949D5ACD68E678F704286@white> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:07.chroot - gcc 4.2.2+ X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Dec 2011 05:27:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/23/11 17:54, Dewayne Geraghty wrote: > Do the changes to libc imply that community members that install > and build their system using gcc 4.2.2+ will remain vulnerable? If > so, should the /usr/src/UPDATING reflect this ongoing exposure? > > (I note that 8.2S uses gcc version 4.2.2 20070831 prerelease > [FreeBSD] 9.0S has gcc 4.2.1) This have nothing to do with gcc as far as I can tell. It does require changes to your individual applications if they do chroot into untrusted environment. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk74BccACgkQOfuToMruuMCslACfXhGAxgpMlYwsPS/01JXoHqED o/UAnAyoYtv3vlRBo0szGptyh+qYaeEQ =cJ1L -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 09:24:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03A0C106564A; Wed, 28 Dec 2011 09:24:33 +0000 (UTC) (envelope-from dnaeon@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id B980C8FC12; Wed, 28 Dec 2011 09:24:32 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so12274454obb.13 for ; Wed, 28 Dec 2011 01:24:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=h2LZpyDxHc47nms3ZbQGJwbDT/7G/P9kMk8J1e+D/LQ=; b=TGRFbuanxs0SJmrjHhZjvAZQJDjT75itkB//PbCtzmC1bSaK+cZ/azHrPw731UOQ6Y 5kcJkRs2JNfkjJoo1xeiGLtu03cMJt/q1Sxdkio/69JJpsEMgN3U03RFR6zQMq71Ubo8 aLvDrIFhNg2QrMMmNK+Ts8wlaa92ju3NcxH6g= MIME-Version: 1.0 Received: by 10.182.117.97 with SMTP id kd1mr1620724obb.50.1325062723622; Wed, 28 Dec 2011 00:58:43 -0800 (PST) Received: by 10.182.116.41 with HTTP; Wed, 28 Dec 2011 00:58:43 -0800 (PST) Date: Wed, 28 Dec 2011 10:58:43 +0200 Message-ID: From: Marin Atanasov Nikolov To: freebsd-security@freebsd.org, ml-freebsd-stable Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 09:24:33 -0000 Hello, Today I've managed to escape from a jail by accident and ended up with root access to the host's filesystem. Here's what I did: * Using ezjail for managing my jails * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 * This works only when I use sudo, and cannot reproduce if I execute everything as root First, created a folder *inside* the jail and cd to it: host$ sudo ezjail-admin console jail-test jail-test# id uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) jail-test# mkdir ~/jail-folder jail-test# cd ~/jail-folder jail-test# pwd /root/jail-folder Then from the host machine I've moved this folder to the cwd. host$ pwd /usr/home/mra host$ sudo mv /home/jails/jail-test/root/jail-folder . And then here's where the jail ends up :) jail-test# pwd /usr/home/mra/jail-folder >From here on the Jail's root user has full root privileges to the host's filesystem. Not sure if it is sudo or jail issue, and would be nice if someone with more experience can check this up :) Regards, Marin -- Marin Atanasov Nikolov dnaeon AT gmail DOT com daemon AT unix-heaven DOT org http://www.unix-heaven.org/ From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 09:42:03 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DFD9106564A; Wed, 28 Dec 2011 09:42:03 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id B31D28FC0A; Wed, 28 Dec 2011 09:42:02 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 3CEC125D3892; Wed, 28 Dec 2011 09:42:01 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 5D63FBD7F4A; Wed, 28 Dec 2011 09:42:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 0I5Js5tYtprx; Wed, 28 Dec 2011 09:41:59 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 5EBFABD7F49; Wed, 28 Dec 2011 09:41:59 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: Date: Wed, 28 Dec 2011 09:41:58 +0000 Content-Transfer-Encoding: 7bit Message-Id: <0A2510CC-578E-4EFB-A82E-E63F6A8EA226@lists.zabbadoz.net> References: To: Marin Atanasov Nikolov X-Mailer: Apple Mail (2.1084) Cc: freebsd-security@freebsd.org, ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 09:42:03 -0000 On 28. Dec 2011, at 08:58 , Marin Atanasov Nikolov wrote: > Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. This has been discussed to lengths within the last year (I think it was). See the updated man page: http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286 /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 09:47:03 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B557106566C; Wed, 28 Dec 2011 09:47:03 +0000 (UTC) (envelope-from phk@phk.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id EC7258FC08; Wed, 28 Dec 2011 09:47:02 +0000 (UTC) Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id CBB735DAC; Wed, 28 Dec 2011 09:28:01 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.5/8.14.5) with ESMTP id pBS9S0wo079516; Wed, 28 Dec 2011 09:28:01 GMT (envelope-from phk@phk.freebsd.dk) To: Marin Atanasov Nikolov From: "Poul-Henning Kamp" In-Reply-To: Your message of "Wed, 28 Dec 2011 10:58:43 +0200." Content-Type: text/plain; charset=ISO-8859-1 Date: Wed, 28 Dec 2011 09:28:00 +0000 Message-ID: <79515.1325064480@critter.freebsd.dk> Cc: freebsd-security@freebsd.org, ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 09:47:03 -0000 In message , Marin Atanasov Nikolov writes: >Then from the host machine I've moved this folder to the cwd. >[...] >Not sure if it is sudo or jail issue, and would be nice if someone >with more experience can check this up :) That's an "error-42" issue. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 15:45:09 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 243691065672 for ; Wed, 28 Dec 2011 15:45:09 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (60.wheelsystems.com [83.12.187.60]) by mx1.freebsd.org (Postfix) with ESMTP id C107F8FC0C for ; Wed, 28 Dec 2011 15:45:08 +0000 (UTC) Received: from localhost (58.wheelsystems.com [83.12.187.58]) by mail.dawidek.net (Postfix) with ESMTPSA id 6CF523C5; Wed, 28 Dec 2011 16:27:48 +0100 (CET) Date: Wed, 28 Dec 2011 16:26:44 +0100 From: Pawel Jakub Dawidek To: Oliver Pinter Message-ID: <20111228152644.GA1640@garage.freebsd.pl> References: <4EF4A120.1000305@freebsd.org> <20111223195713.GA61589@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 9.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 15:45:09 -0000 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 23, 2011 at 11:12:13PM +0100, Oliver Pinter wrote: > On 12/23/11, Peter Jeremy wrote: > > On 2011-Dec-23 07:41:20 -0800, FreeBSD Security Officer > > wrote: > >>The timing, to put it bluntly, sucks. > > > > Since it's Saturday here, at the start of an extended holiday season, I > > would tend to agree. That said, thanks for the explanation and I think > > you made the right call. > > > >> On the positive side, most people > >>have moved past telnet and on to SSH by now; > > > > I thought everyone had but an acquaintance explained that he has to run > > telnet because his employer doesn't permit any encrypted outside access > > so the employer can monitor all traffic. >=20 > The solution for this situation is BalaBit SCB. >=20 > http://www.balabit.com/network-security/scb Or similar (but much nicer) solution from a FreeBSD-friendly company:) http://www.wheelsystems.com/products/products_fudo/spec?lang=3Den --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://yomoli.com --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk77NTQACgkQForvXbEpPzT5pgCgt8SIHq3LwgNCzFcGzL98F0bz 6iIAnRojyxVzmXtKkHe4+K63LXj2NF9Z =MbU9 -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 18:58:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2870C106566B; Wed, 28 Dec 2011 18:58:07 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id E893D8FC14; Wed, 28 Dec 2011 18:58:06 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id pBSIVhB4055560 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 28 Dec 2011 10:31:45 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4EFB60B7.4040200@freebsd.org> Date: Wed, 28 Dec 2011 10:32:23 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.25) Gecko/20111213 Thunderbird/3.1.17 MIME-Version: 1.0 To: Marin Atanasov Nikolov References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 18:58:07 -0000 On 12/28/11 12:58 AM, Marin Atanasov Nikolov wrote: > Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root > > First, created a folder *inside* the jail and cd to it: > > host$ sudo ezjail-admin console jail-test > > jail-test# id > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) > > jail-test# mkdir ~/jail-folder > jail-test# cd ~/jail-folder > > jail-test# pwd > /root/jail-folder > > Then from the host machine I've moved this folder to the cwd. > > host$ pwd > /usr/home/mra > > host$ sudo mv /home/jails/jail-test/root/jail-folder . > > And then here's where the jail ends up :) > > jail-test# pwd > /usr/home/mra/jail-folder > > > From here on the Jail's root user has full root privileges to the > host's filesystem. > > Not sure if it is sudo or jail issue, and would be nice if someone > with more experience can check this up :) This is not really "escaping". It's more like "being sprung by your friends outside" since it requires outside participation. The jailed process cannot do it by itself. Now what would be more interesting is if the jailed process can make a new jail inside the old jail and then 'spring' the inmate there. will that inmate be still inside the parent jail, or outside both jails? > Regards, > Marin > From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 20:54:49 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2980B106566B for ; Wed, 28 Dec 2011 20:54:49 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU [18.7.68.35]) by mx1.freebsd.org (Postfix) with ESMTP id BDCA48FC0C for ; Wed, 28 Dec 2011 20:54:48 +0000 (UTC) X-AuditID: 12074423-b7f9c6d0000008c3-9e-4efb7e9231d7 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id E8.83.02243.29E7BFE4; Wed, 28 Dec 2011 15:39:46 -0500 (EST) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id pBSKdkAX002893; Wed, 28 Dec 2011 15:39:46 -0500 Received: from multics.mit.edu (MULTICS.MIT.EDU [18.187.1.73]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id pBSKdiZb013671 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 28 Dec 2011 15:39:46 -0500 (EST) Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id pBSKdiGp009542; Wed, 28 Dec 2011 15:39:44 -0500 (EST) Date: Wed, 28 Dec 2011 15:39:43 -0500 (EST) From: Benjamin Kaduk To: Marin Atanasov Nikolov In-Reply-To: Message-ID: References: User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixG6nojup7refwaWjshYPJu1nt+jZ9ITN gcljxqf5LB47Z91lD2CK4rJJSc3JLEst0rdL4Mp4MusCW8EB1orj6xayNjDOZ+li5OCQEDCR +L9QoIuRE8gUk7hwbz1bFyMXh5DAPkaJ9le3GSGcDYwSJzecYIFwDjBJfD3byA7hNDBK3D1+ E2wUi4C2xONJEiCj2ARUJGa+2cgGYosI6Eq823mSCcRmFlCQeP8YwhYWcJKYfOI9mM0pEChx dM98RhCbV8BeYuq/X6wgtpBAgMSy53fBbFEBHYnV+6ewQNQISpyc+YQFYqalxLk/19kmMArO QpKahSS1gJFpFaNsSm6Vbm5iZk5xarJucXJiXl5qka6ZXm5miV5qSukmRnCguijvYPxzUOkQ owAHoxIPr6fhbz8h1sSy4srcQ4ySHExKorz3yoFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHgX VALleFMSK6tSi/JhUtIcLErivBpa7/yEBNITS1KzU1MLUotgsjIcHEoSvBdqgRoFi1LTUyvS MnNKENJMHJwgw3mAht8DqeEtLkjMLc5Mh8ifYlSUEuf9CpIQAElklObB9cISyStGcaBXhHmf gFTxAJMQXPcroMFMQIPPnfsFMrgkESEl1cCoWGwh/6hiW7HkBaH/JhOMt3asfyXw7sXLC8F6 2j2LC19YeMgdezR9yoMjXXN0xMy6eiWLpNgM5k7qcakTsq/yf+2c80mHJ/7gA3/PNLMNd2Ml Zvkse1N8ZdHZ3x5aE25vvGuSo/LWvswnbNPT+G9zNjO97i1VnOes6ffo7/nJ++P6zNufCMxU YinOSDTUYi4qTgQA4w6giP8CAAA= Cc: freebsd-security@freebsd.org Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 20:54:49 -0000 [minus -stable] On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote: > Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root I cannot see how the use of sudo would be relevant -- the fundametal issue merely requires the vnode of the directory in question to be moved (not copied) past the jail's root vnode. Could you give a bit more detail about how you came to believe that sudo is necessary? -Ben Kaduk From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 19:29:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12D16106564A for ; Wed, 28 Dec 2011 19:29:55 +0000 (UTC) (envelope-from stephen@missouri.edu) Received: from wilberforce.math.missouri.edu (wilberforce.math.missouri.edu [128.206.184.213]) by mx1.freebsd.org (Postfix) with ESMTP id CB9928FC15 for ; Wed, 28 Dec 2011 19:29:54 +0000 (UTC) Received: from [127.0.0.1] (wilberforce.math.missouri.edu [128.206.184.213]) by wilberforce.math.missouri.edu (8.14.5/8.14.5) with ESMTP id pBSJB6E6068842; Wed, 28 Dec 2011 13:11:06 -0600 (CST) (envelope-from stephen@missouri.edu) Message-ID: <4EFB69CA.9080804@missouri.edu> Date: Wed, 28 Dec 2011 13:11:06 -0600 From: Stephen Montgomery-Smith User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16 MIME-Version: 1.0 To: Marin Atanasov Nikolov References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 28 Dec 2011 21:08:59 +0000 Cc: freebsd-security@freebsd.org, ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 19:29:55 -0000 On 12/28/2011 02:58 AM, Marin Atanasov Nikolov wrote: > Hello, > > Today I've managed to escape from a jail by accident and ended up with > root access to the host's filesystem. > > Here's what I did: > > * Using ezjail for managing my jails > * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 > * This works only when I use sudo, and cannot reproduce if I execute > everything as root > > First, created a folder *inside* the jail and cd to it: > > host$ sudo ezjail-admin console jail-test > > jail-test# id > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) > > jail-test# mkdir ~/jail-folder > jail-test# cd ~/jail-folder > > jail-test# pwd > /root/jail-folder > > Then from the host machine I've moved this folder to the cwd. > > host$ pwd > /usr/home/mra > > host$ sudo mv /home/jails/jail-test/root/jail-folder . > > And then here's where the jail ends up :) > > jail-test# pwd > /usr/home/mra/jail-folder > >> From here on the Jail's root user has full root privileges to the > host's filesystem. > > Not sure if it is sudo or jail issue, and would be nice if someone > with more experience can check this up :) > > Regards, > Marin > This is rather fascinating. I agree with the poster that the jail didn't really escape, but was "sprung from the outside." But more than that, I imagine it would be very hard to stop this without either completely rethinking how unix filesystems work, or adding significant overhead to the OS so that it checks every single "mv" command against all existing jails. I think the warning in the man page http://svnweb.freebsd.org/base/head/usr.sbin/jail/jail.8?r1=221665&r2=224286 is a better way to go. Stephen From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 22:42:09 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF292106564A for ; Wed, 28 Dec 2011 22:42:09 +0000 (UTC) (envelope-from dnaeon@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id B8BB58FC13 for ; Wed, 28 Dec 2011 22:42:09 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so13408237obb.13 for ; Wed, 28 Dec 2011 14:42:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=rn0gLmt3TMu0APZHETxnK15o5AW/zXgJolLAfyulvQY=; b=SzE/4IkYu65CJzyG2WSiFx/jcYrUpVeT/k5sgPTZSFmXdFcEFt6nt3PzFZw5pDBl1e HYZIIzF9ia5OwP96/Wpf7exJu51vf2UEchjfIBLvYBLbeu2K4D9ROKv0g8Bp0Spv4fH7 AbDMykwbF/Fd7AXSwtMEeB2kt85Yxw/ItWGWA= MIME-Version: 1.0 Received: by 10.182.117.97 with SMTP id kd1mr3682979obb.50.1325112129153; Wed, 28 Dec 2011 14:42:09 -0800 (PST) Received: by 10.182.116.41 with HTTP; Wed, 28 Dec 2011 14:42:09 -0800 (PST) In-Reply-To: References: Date: Thu, 29 Dec 2011 00:42:09 +0200 Message-ID: From: Marin Atanasov Nikolov To: Benjamin Kaduk Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 22:42:10 -0000 On Wed, Dec 28, 2011 at 10:39 PM, Benjamin Kaduk wrote: > [minus -stable] > > > On Wed, 28 Dec 2011, Marin Atanasov Nikolov wrote: > >> Hello, >> >> Today I've managed to escape from a jail by accident and ended up with >> root access to the host's filesystem. >> >> Here's what I did: >> >> * Using ezjail for managing my jails >> * Verified in FreeBSD 9.0-BETA3 and 9.0-RC3 >> * This works only when I use sudo, and cannot reproduce if I execute >> everything as root > > > I cannot see how the use of sudo would be relevant -- the fundametal issu= e > merely requires the vnode of the directory in question to be moved (not > copied) past the jail's root vnode. =A0Could you give a bit more detail a= bout > how you came to believe that sudo is necessary? > Hi everyone, Thanks for the feedback. @Ben: I was able only to reproduce this using sudo(8) when doing "mv ." (See first mail for exact steps) Important notes: * The directory to mv is "." (cwd) - mv'ing to anything else than "." does not harm * Doing the "mv ." as root user (without sudo(8) !) does not result in jail getting access to the host's fs That is why I've mentioned that I'm not sure whether this is sudo(8) related or ezjail, or just jail.. I can only reproduce it using sudo for moving the folder... Hope that clears a bit things :) Regards, Marin > -Ben Kaduk --=20 Marin Atanasov Nikolov dnaeon AT gmail DOT com daemon AT unix-heaven DOT org http://www.unix-heaven.org/ From owner-freebsd-security@FreeBSD.ORG Wed Dec 28 23:29:12 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86DE9106564A; Wed, 28 Dec 2011 23:29:12 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id AD4B48FC0A; Wed, 28 Dec 2011 23:29:11 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 4CB186D55; Wed, 28 Dec 2011 23:11:27 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id D8CDF86DB; Thu, 29 Dec 2011 00:11:26 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Stephen Montgomery-Smith References: <4EFB69CA.9080804@missouri.edu> Date: Thu, 29 Dec 2011 00:11:26 +0100 In-Reply-To: <4EFB69CA.9080804@missouri.edu> (Stephen Montgomery-Smith's message of "Wed, 28 Dec 2011 13:11:06 -0600") Message-ID: <86zkecnvfl.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Marin Atanasov Nikolov , ml-freebsd-stable Subject: Re: Escaping from a jail with root privileges on the host X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2011 23:29:12 -0000 Stephen Montgomery-Smith writes: > I agree with the poster that the jail didn't really escape, but was > "sprung from the outside." Easily prevented by making sure that every jail's root directory is unreachable to unprivileged users. Say your jails are in /jail/foo, /jail/bar and /jail/baz; if /jail is readable only by root (and perhaps wheel), it won't be possible for anyone else to move a directory out of a jail. > But more than that, I imagine it would be very hard to stop this > without either completely rethinking how unix filesystems work, or > adding significant overhead to the OS so that it checks every single > "mv" command against all existing jails. Not really. It is trivial to get a list of processes that have a given vnode as their wd: % fstat $PWD USER CMD PID FD MOUNT INUM MODE SZ|DV R/W NAME des fstat 80052 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des zsh 77329 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des zsh 26841 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des emacs 2577 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des des zsh 2574 wd /home/des 3 drwxr-xr-x 398 r /hom= e/des So if any of these processes are jailed and the new location is outside the jail root, the process should have its wd either forcibly changed (e.g. to the jail root) or invalidated somehow. The problem is that you not only have to check the directory you're moving, but all its subdirectories as well. I can think of ways to speed up the process; they require non-trivial changes to VFS, but not "completely rethinking how unix filesystems work". DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 15:31:01 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 123581065672; Thu, 29 Dec 2011 15:31:01 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id D3F9B8FC0A; Thu, 29 Dec 2011 15:31:00 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id 8D05346B52; Thu, 29 Dec 2011 10:31:00 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id E8FFEB96E; Thu, 29 Dec 2011 10:30:59 -0500 (EST) From: John Baldwin To: Xin LI Date: Thu, 29 Dec 2011 09:39:53 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201112290939.53665.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 29 Dec 2011 10:31:00 -0500 (EST) Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 15:31:01 -0000 On Sunday, December 25, 2011 12:14:44 am Xin LI wrote: > Hi, Doug, > > On Sat, Dec 24, 2011 at 1:29 PM, Doug Barton wrote: > > On 12/24/2011 12:46, Xin LI wrote: > >> Won't work because the binary might be run by privileged but chroot > >> user. Again, this is the first proposal that we have considered. > > > > Now that the cat is out of the bag, and a fix is available, might it not > > make sense to summarize the private discussions about this issue > > somewhere, and brainstorm about a better solution? I'd suggest -hackers, > > or perhaps -security as good public lists to do this on. > > > > A quick writeup along the lines of, "Here are the ideas we considered, > > and here is why we rejected them" would jump-start the discussion, and > > perhaps ease the frustration of the people who are just now looking at > > this and scratching their heads. > > > > I understand why the previous discussion was undertaken privately, but > > there is no need to continue the secrecy any longer. > > Here are the ideas we have came with patches and get dropped for some > reason (not solving all problems, cause incompatibility issue, etc): > > a) Have dynamic linker check permissions (w^x policy) on shared > library when program was setuid; > b) Have nsdispatch(3) check permissions on configuration files; > c) Have a dlopen(3) wrapper that have a flag that allows caller to say > "this is security sensitive and don't load libraries that have > suspicious permissions" > d) Completely disable nsdispatch reload feature; > e) The current version; > f) The current version but with a wrapper around chroot(2) that > disables all libc dlopen(3) calls; > g) The current version with libc_dlopen(3) exposed as a new API as > well and/or have the ugly API exposed in FBSD_1.2 namespace. This is > primarily trivial cleanup changes and both were denied. > > Requirement were: > > - Must not break existing and legitimate use of chroot(2), in other > words no semantics change permitted. > - Must fix the ftpd(8) issue itself since it's already public. > - Must not break anything other than the attack, e.g. require > additional steps other than patching. Can you give some more details on why ftpd is triggering a dlopen inside of the chroot? It would appear that that is unrelated to helper programs (since setting a flag in libc in ftpd can't possibly affect helper programs ability to use dlopen() from within libc). -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 18:26:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 885AE1065678; Thu, 29 Dec 2011 18:26:18 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 67CA78FC16; Thu, 29 Dec 2011 18:26:18 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 208FD17992; Thu, 29 Dec 2011 10:26:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325183178; bh=s50/U7kLokNcTLcY2YNnFgLw8P2AzUB8rYrJSQ9ftDk=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Y2pymTGyxvKgcl5FWQsSOGfzWR4RxLyqRxOahGggCWQKvw20Lj+9gI4mhKnZBxyKO i/HxH3RxGsaXosSSxnnrGCEOuAVNNNcZVROI6u2hZEQTcMmqhHNo/mKuK11iZ/BO1e dPI7qzCSrYY3jytxXWjYsfTJ/TjGoRdABbgXaHp4= Message-ID: <4EFCB0C9.6090608@delphij.net> Date: Thu, 29 Dec 2011 10:26:17 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: John Baldwin References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> In-Reply-To: <201112290939.53665.jhb@freebsd.org> X-Enigmail-Version: undefined Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Doug Barton , d@delphij.net Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 18:26:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 06:39, John Baldwin wrote: > Can you give some more details on why ftpd is triggering a dlopen > inside of the chroot? It would appear that that is unrelated to > helper programs (since setting a flag in libc in ftpd can't > possibly affect helper programs ability to use dlopen() from within > libc). Sure. That's because nsdispatch(3) would reload /etc/nsswitch.conf if it notices a change. After chroot() the file is considered as "chang"ed and thus it reloads the file as well as designated shared libraries. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78sMkACgkQOfuToMruuMAu9wCbBevDzZFX9eHBYHtN1iOw9iG2 Z2oAnjYrxskRMyu0ygqesoi7UgrjumWv =N7gZ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 18:36:15 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9D631065670; Thu, 29 Dec 2011 18:36:15 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 5C0C78FC15; Thu, 29 Dec 2011 18:36:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTIa75C048970; Thu, 29 Dec 2011 22:36:07 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTIa7wc048969; Thu, 29 Dec 2011 22:36:07 +0400 (MSK) (envelope-from ache) Date: Thu, 29 Dec 2011 22:36:06 +0400 From: Andrey Chernov To: d@delphij.net Message-ID: <20111229183606.GA48785@vniz.net> Mail-Followup-To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EFCB0C9.6090608@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , John Baldwin Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 18:36:16 -0000 On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/29/11 06:39, John Baldwin wrote: > > Can you give some more details on why ftpd is triggering a dlopen > > inside of the chroot? It would appear that that is unrelated to > > helper programs (since setting a flag in libc in ftpd can't > > possibly affect helper programs ability to use dlopen() from within > > libc). > > Sure. That's because nsdispatch(3) would reload /etc/nsswitch.conf if > it notices a change. After chroot() the file is considered as > "chang"ed and thus it reloads the file as well as designated shared > libraries. Another proposal more close to @secteam version, but less ugly: to have public API rtld function (or env variable) which prevents _any_ dlopen(), not guarded currently by libc only. That way only rtld and ftpd's needs to be rebuilded, but not libc itself. -- http://ache.vniz.net/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 18:43:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FB4E106566B; Thu, 29 Dec 2011 18:43:05 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 239A58FC16; Thu, 29 Dec 2011 18:43:05 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id CAE5B46B52; Thu, 29 Dec 2011 13:43:04 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 58CCEB91E; Thu, 29 Dec 2011 13:43:04 -0500 (EST) From: John Baldwin To: d@delphij.net Date: Thu, 29 Dec 2011 13:43:02 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> In-Reply-To: <4EFCB0C9.6090608@delphij.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201112291343.02248.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 29 Dec 2011 13:43:04 -0500 (EST) Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 18:43:05 -0000 On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: > On 12/29/11 06:39, John Baldwin wrote: > > Can you give some more details on why ftpd is triggering a dlopen > > inside of the chroot? It would appear that that is unrelated to > > helper programs (since setting a flag in libc in ftpd can't > > possibly affect helper programs ability to use dlopen() from within > > libc). > > Sure. That's because nsdispatch(3) would reload /etc/nsswitch.conf if > it notices a change. After chroot() the file is considered as > "chang"ed and thus it reloads the file as well as designated shared > libraries. But ftpd has to be doing some operation that invokes an nss lookup after entering the chroot for that to trigger, correct? -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 18:44:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 585FC1065677; Thu, 29 Dec 2011 18:44:02 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 392FF8FC20; Thu, 29 Dec 2011 18:44:02 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 024A817B17; Thu, 29 Dec 2011 10:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325184242; bh=rtUa7vZAwoQERoUHPQavvlx6X+IIxnXm2hJqifjPa+c=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=OR0JdnSmiBgwiYaoctMkRiXu+HLbhrtrHCDbnbf43vUbwep/tGoxOqAKPtBTOsx+1 +0V71dAUECMmZlDZXy4EkM47VK5KzIGNLa0P0zShy/7caIxVbBGedbXb3kzYHLXIxc X1OSLxI5i8AIofCiO7vd0zzoCg+gaY8QcUr4POrA= Message-ID: <4EFCB4F1.2050500@delphij.net> Date: Thu, 29 Dec 2011 10:44:01 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: John Baldwin References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <201112291343.02248.jhb@freebsd.org> In-Reply-To: <201112291343.02248.jhb@freebsd.org> X-Enigmail-Version: undefined Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Doug Barton , d@delphij.net Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 18:44:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 10:43, John Baldwin wrote: > On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: >> On 12/29/11 06:39, John Baldwin wrote: >>> Can you give some more details on why ftpd is triggering a >>> dlopen inside of the chroot? It would appear that that is >>> unrelated to helper programs (since setting a flag in libc in >>> ftpd can't possibly affect helper programs ability to use >>> dlopen() from within libc). >> >> Sure. That's because nsdispatch(3) would reload >> /etc/nsswitch.conf if it notices a change. After chroot() the >> file is considered as "chang"ed and thus it reloads the file as >> well as designated shared libraries. > > But ftpd has to be doing some operation that invokes an nss lookup > after entering the chroot for that to trigger, correct? Oh ok, that was the built-in ls(1). Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78tPEACgkQOfuToMruuMBq7QCfe2mWQDanxhZDDODYCo4Wqets +VMAn3kfObewKpZReZIucOIQIuj+OnWS =8h/i -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 18:49:20 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6B94106564A for ; Thu, 29 Dec 2011 18:49:20 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id 3DE8F8FC1B for ; Thu, 29 Dec 2011 18:49:20 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 969141CC046 for ; Thu, 29 Dec 2011 19:33:01 +0100 (CET) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nls2mNYIKd1k for ; Thu, 29 Dec 2011 19:32:59 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP for ; Thu, 29 Dec 2011 19:32:59 +0100 (CET) From: Patrick Proniewski Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-173--1015972076; protocol="application/pkcs7-signature"; micalg=sha1 Date: Thu, 29 Dec 2011 19:32:58 +0100 In-Reply-To: <201112231536.pBNFaoj3078926@freefall.freebsd.org> To: freebsd-security@freebsd.org References: <201112231536.pBNFaoj3078926@freefall.freebsd.org> Message-Id: X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 18:49:20 -0000 --Apple-Mail-173--1015972076 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Hello, On 23 d=E9c. 2011, at 16:36, FreeBSD Security Advisories wrote: > 3) To update your vulnerable system via a binary patch: >=20 > Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE = on > the i386 or amd64 platforms can be updated via the freebsd-update(8) > utility: >=20 > # freebsd-update fetch > # freebsd-update install This is strange, before update I was 8.1-RELEASE-p5, during update = freebsd-update wrote about 8.1-RELEASE-p7, and after update I'm still = running 8.1-RELEASE-p5... after upgrade:=20 # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 8.1-RELEASE from update5.FreeBSD.org... = done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 8.1-RELEASE-p7. # uname -r 8.1-RELEASE-p5 any idea? patpro= --Apple-Mail-173--1015972076-- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 18:56:42 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC79D106566B for ; Thu, 29 Dec 2011 18:56:42 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id C02828FC08 for ; Thu, 29 Dec 2011 18:56:42 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 871D917C3B; Thu, 29 Dec 2011 10:56:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325185002; bh=PO4uCGdywHbgUeLm91C7mx76/NTLT2GhCJR1VOimXn4=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=P1jZLEpJbtbPr0VHwd6AE0+26d/1UrWbCRjfoXEKQUiuq1k1Iut9HxIfVzsTFpI8S lsTWYNZdnCV5eRJEhL0aR60TlxLXibqQMnbFnvZzdZZwehpmr6grHp4+bR77OvlhIE u9D7PBMiteSZKgQcjJI+2Ko8TsvEk6Qd6gF3Zjz0= Message-ID: <4EFCB7E9.1040506@delphij.net> Date: Thu, 29 Dec 2011 10:56:41 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Patrick Proniewski References: <201112231536.pBNFaoj3078926@freefall.freebsd.org> In-Reply-To: X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 18:56:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 10:32, Patrick Proniewski wrote: > Hello, > > On 23 déc. 2011, at 16:36, FreeBSD Security Advisories wrote: > >> 3) To update your vulnerable system via a binary patch: >> >> Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or >> 8.1-RELEASE on the i386 or amd64 platforms can be updated via the >> freebsd-update(8) utility: >> >> # freebsd-update fetch # freebsd-update install > > This is strange, before update I was 8.1-RELEASE-p5, during update > freebsd-update wrote about 8.1-RELEASE-p7, and after update I'm > still running 8.1-RELEASE-p5... > > after upgrade: > > # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 4 > mirrors found. Fetching metadata signature for 8.1-RELEASE from > update5.FreeBSD.org... done. Fetching metadata index... done. > Inspecting system... done. Preparing to download files... done. > > No updates needed to update system to 8.1-RELEASE-p7. > > # uname -r 8.1-RELEASE-p5 > > any idea? Have you restarted your system? I *think* it should say -p6 there because this batch does not change kernel (last batch did change kernel but I guess you already patched?) Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78t+kACgkQOfuToMruuMBwmgCePWMVTe9x9LVcQts9FJbq+u8F bfYAnj1fw0PgtQ1UzfyrHcKocufWuD4e =HfUi -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 19:00:44 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E67941065676; Thu, 29 Dec 2011 19:00:44 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id BA9778FC18; Thu, 29 Dec 2011 19:00:44 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id 712CE46B09; Thu, 29 Dec 2011 14:00:44 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id D8C10B96B; Thu, 29 Dec 2011 14:00:43 -0500 (EST) From: John Baldwin To: d@delphij.net Date: Thu, 29 Dec 2011 14:00:41 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291343.02248.jhb@freebsd.org> <4EFCB4F1.2050500@delphij.net> In-Reply-To: <4EFCB4F1.2050500@delphij.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201112291400.41075.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 29 Dec 2011 14:00:44 -0500 (EST) Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 19:00:45 -0000 On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote: > On 12/29/11 10:43, John Baldwin wrote: > > On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: > >> On 12/29/11 06:39, John Baldwin wrote: > >>> Can you give some more details on why ftpd is triggering a > >>> dlopen inside of the chroot? It would appear that that is > >>> unrelated to helper programs (since setting a flag in libc in > >>> ftpd can't possibly affect helper programs ability to use > >>> dlopen() from within libc). > >> > >> Sure. That's because nsdispatch(3) would reload > >> /etc/nsswitch.conf if it notices a change. After chroot() the > >> file is considered as "chang"ed and thus it reloads the file as > >> well as designated shared libraries. > > > > But ftpd has to be doing some operation that invokes an nss lookup > > after entering the chroot for that to trigger, correct? > > Oh ok, that was the built-in ls(1). Were we not able to drop privilege before doing that? I.e. if you forked a new process that dropped privilege before doing the ls (similar to if you were to exec /bin/ls as a helper), would that not have fixed this? -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 19:10:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC19D1065670; Thu, 29 Dec 2011 19:10:37 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 97D408FC15; Thu, 29 Dec 2011 19:10:37 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so14637081obb.13 for ; Thu, 29 Dec 2011 11:10:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=g9zSVYANCNJ7bSc+tcA+NLJqC880IgZygT9GMpO2KVI=; b=qVCizch/K0bsU8ZucP6riYOgVcW/bX1izzV8lbYVtzg2emg0ODntXoBSR/tPofhIJW QfZWSKBIU6k4tlCDzTFoN0xhKgbxnKxW/cTBKAj8ZaKCef2AsKCjs3aKcGmf2ZbFrZC7 hZLWS/mrbC9vuQgbSJMinZV3lKcIao9GzRuIg= MIME-Version: 1.0 Received: by 10.182.76.134 with SMTP id k6mr23802170obw.10.1325185837182; Thu, 29 Dec 2011 11:10:37 -0800 (PST) Received: by 10.182.67.163 with HTTP; Thu, 29 Dec 2011 11:10:37 -0800 (PST) In-Reply-To: <201112291400.41075.jhb@freebsd.org> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291343.02248.jhb@freebsd.org> <4EFCB4F1.2050500@delphij.net> <201112291400.41075.jhb@freebsd.org> Date: Thu, 29 Dec 2011 11:10:37 -0800 Message-ID: From: Xin LI To: John Baldwin Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 19:10:38 -0000 On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin wrote: > On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote: >> On 12/29/11 10:43, John Baldwin wrote: >> > On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: >> >> On 12/29/11 06:39, John Baldwin wrote: >> >>> Can you give some more details on why ftpd is triggering a >> >>> dlopen inside of the chroot? =C2=A0It would appear that that is >> >>> unrelated to helper programs (since setting a flag in libc in >> >>> ftpd can't possibly affect helper programs ability to use >> >>> dlopen() from within libc). >> >> >> >> Sure. =C2=A0That's because nsdispatch(3) would reload >> >> /etc/nsswitch.conf if it notices a change. =C2=A0After chroot() the >> >> file is considered as "chang"ed and thus it reloads the file as >> >> well as designated shared libraries. >> > >> > But ftpd has to be doing some operation that invokes an nss lookup >> > after entering the chroot for that to trigger, correct? >> >> Oh ok, that was the built-in ls(1). > > Were we not able to drop privilege before doing that? =C2=A0I.e. if you > forked a new process that dropped privilege before doing the ls > (similar to if you were to exec /bin/ls as a helper), would that not > have fixed this? No, it won't. This is arbitrary code execution and not just privilege escalation :( Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 19:15:45 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7E5D106564A; Thu, 29 Dec 2011 19:15:45 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id B66568FC08; Thu, 29 Dec 2011 19:15:45 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 846F617E09; Thu, 29 Dec 2011 11:15:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325186145; bh=JYAHSVyyvhShzZIlJSztKxcMNLSDNTFWGl55daG/sFw=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=A5bdaFZR9l7aQZ/O2VBMLZv3mOgGGBaChDiMx1sV20T1DRra0K9fgaM583iFfat91 XzILOX7GqWh0TMmBIQIVoJvMJ9ArnYjGurqScZogcPu8iFIkTNWb1tOeRhkvIyixHX w1KsSChcIgK6LcZfTI9eP7XOviTT9E5MygfTERUU= Message-ID: <4EFCBC60.3080607@delphij.net> Date: Thu, 29 Dec 2011 11:15:44 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <20111229183606.GA48785@vniz.net> In-Reply-To: <20111229183606.GA48785@vniz.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 19:15:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 10:36, Andrey Chernov wrote: > On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 12/29/11 06:39, John Baldwin wrote: >>> Can you give some more details on why ftpd is triggering a >>> dlopen inside of the chroot? It would appear that that is >>> unrelated to helper programs (since setting a flag in libc in >>> ftpd can't possibly affect helper programs ability to use >>> dlopen() from within libc). >> >> Sure. That's because nsdispatch(3) would reload >> /etc/nsswitch.conf if it notices a change. After chroot() the >> file is considered as "chang"ed and thus it reloads the file as >> well as designated shared libraries. > > Another proposal more close to @secteam version, but less ugly: to > have public API rtld function (or env variable) which prevents > _any_ dlopen(), not guarded currently by libc only. Would you please elaborate how this would be less ugly (e.g. with a patch)? > That way only rtld and ftpd's needs to be rebuilded, but not libc > itself. We discussed a change like this but IIRC it was rejected because the affected surface is too broad and we wanted to limit it to just the implicit dlopen()s to avoid breaking legitimate applications. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78vGAACgkQOfuToMruuMA6RwCfWP6Lqq6P4vcmL9MbsOI+uV9R wEQAnRyKe6vGvEdnuDPbBkP5kKdvLC8Q =jwOs -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 19:42:39 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7027E106564A; Thu, 29 Dec 2011 19:42:39 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id D20388FC08; Thu, 29 Dec 2011 19:42:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTJgVTf050224; Thu, 29 Dec 2011 23:42:32 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTJgVUG050223; Thu, 29 Dec 2011 23:42:31 +0400 (MSK) (envelope-from ache) Date: Thu, 29 Dec 2011 23:42:30 +0400 From: Andrey Chernov To: d@delphij.net Message-ID: <20111229194229.GA49908@vniz.net> Mail-Followup-To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <20111229183606.GA48785@vniz.net> <4EFCBC60.3080607@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EFCBC60.3080607@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , John Baldwin Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 19:42:39 -0000 On Thu, Dec 29, 2011 at 11:15:44AM -0800, Xin Li wrote: > Would you please elaborate how this would be less ugly (e.g. with a > patch)? Why doing a patch if you apparently don't care? ) In few words, it less ugly because it 1) will be public API, 2) will restrict all possibe future dlopen() usage (f.e. someday tar, which used in some ftpds, can use dlopen() to load its formats etc.) > We discussed a change like this but IIRC it was rejected because the > affected surface is too broad and we wanted to limit it to just the > implicit dlopen()s to avoid breaking legitimate applications. Instead of total disabling we can (by calling rtld function) restrict dlopen() in ftpd() to absolute path of know safe directories list like "/etc" "/lib" "/usr/lib" etc. -- http://ache.vniz.net/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:03:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 222CC106566C; Thu, 29 Dec 2011 20:03:29 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id E92848FC17; Thu, 29 Dec 2011 20:03:28 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id 8CBB246B2E; Thu, 29 Dec 2011 15:03:28 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 241D2B91E; Thu, 29 Dec 2011 15:03:28 -0500 (EST) From: John Baldwin To: Xin LI Date: Thu, 29 Dec 2011 14:35:03 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291400.41075.jhb@freebsd.org> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201112291435.03493.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 29 Dec 2011 15:03:28 -0500 (EST) Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:03:29 -0000 On Thursday, December 29, 2011 2:10:37 pm Xin LI wrote: > On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin wrote: > > On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote: > >> On 12/29/11 10:43, John Baldwin wrote: > >> > On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: > >> >> On 12/29/11 06:39, John Baldwin wrote: > >> >>> Can you give some more details on why ftpd is triggering a > >> >>> dlopen inside of the chroot? It would appear that that is > >> >>> unrelated to helper programs (since setting a flag in libc in > >> >>> ftpd can't possibly affect helper programs ability to use > >> >>> dlopen() from within libc). > >> >> > >> >> Sure. That's because nsdispatch(3) would reload > >> >> /etc/nsswitch.conf if it notices a change. After chroot() the > >> >> file is considered as "chang"ed and thus it reloads the file as > >> >> well as designated shared libraries. > >> > > >> > But ftpd has to be doing some operation that invokes an nss lookup > >> > after entering the chroot for that to trigger, correct? > >> > >> Oh ok, that was the built-in ls(1). > > > > Were we not able to drop privilege before doing that? I.e. if you > > forked a new process that dropped privilege before doing the ls > > (similar to if you were to exec /bin/ls as a helper), would that not > > have fixed this? > > No, it won't. This is arbitrary code execution and not just privilege > escalation :( So how is there not still a problem for helper programs? Is ls the only way a user can initiate a helper program? Hmm, looks like ftpd will only ever invoke ls, and thus only ls_main(), so there's lots of dead code (e.g. where ftpd invokes execv() in ftpd_popen() is a dead code path). That clears up some confusion on my part as I didn't understand why it was ok to execute arbitrary programs from ftpd but the built-in ls was special. I still find the symbol name incredibly ugly. Another route might have been set an env var to disable use of dlopen() in libc. That would have worked even if ftpd invoked an external program, whereas the built-in ls is now key to security and no longer a simple optimization. -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:06:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C31F41065676 for ; Thu, 29 Dec 2011 20:06:24 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id 65DA38FC0A for ; Thu, 29 Dec 2011 20:06:24 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 8CB251CC045; Thu, 29 Dec 2011 21:06:23 +0100 (CET) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cYmOG-fz0Qsn; Thu, 29 Dec 2011 21:06:21 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Thu, 29 Dec 2011 21:06:21 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-175--1010369796; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski In-Reply-To: <4EFCB7E9.1040506@delphij.net> Date: Thu, 29 Dec 2011 21:06:20 +0100 Message-Id: <89DD399E-DCCA-4C4A-BFB9-3990E6720C75@patpro.net> References: <201112231536.pBNFaoj3078926@freefall.freebsd.org> <4EFCB7E9.1040506@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:06:24 -0000 --Apple-Mail-175--1010369796 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On 29 d=E9c. 2011, at 19:56, Xin Li wrote: >> No updates needed to update system to 8.1-RELEASE-p7. >>=20 >> # uname -r 8.1-RELEASE-p5 >>=20 >> any idea? >=20 > Have you restarted your system? I *think* it should say -p6 there > because this batch does not change kernel (last batch did change > kernel but I guess you already patched?) I have rebooted (twice). That's strange. patpro= --Apple-Mail-175--1010369796-- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:15:33 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0019F106566B; Thu, 29 Dec 2011 20:15:32 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id D1CC68FC0C; Thu, 29 Dec 2011 20:15:32 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 68BF3110E8; Thu, 29 Dec 2011 12:15:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325189732; bh=Wn2gnZkM+/JW7vp9zxOamBfY3Mvj9XnCLO+NICf4UD4=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=lkIlp8jmFI5icktW5kHOXhgtCC6VGZNAVE4lJL0480lyZVxMBcHxXfI3RfgT97SWo AjZmbYaHkGtI592F5E+3Zty+/30t0Ccl1GwX88RKcnPPJIv5b1N4WKLMQdauE9McfN 8RvQUob5fYTf5qIqmu0vaogII5ji3AeTFll4JJbE= Message-ID: <4EFCCA63.5070409@delphij.net> Date: Thu, 29 Dec 2011 12:15:31 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <20111229183606.GA48785@vniz.net> <4EFCBC60.3080607@delphij.net> <20111229194229.GA49908@vniz.net> In-Reply-To: <20111229194229.GA49908@vniz.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:15:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 11:42, Andrey Chernov wrote: > On Thu, Dec 29, 2011 at 11:15:44AM -0800, Xin Li wrote: >> Would you please elaborate how this would be less ugly (e.g. with >> a patch)? > > Why doing a patch if you apparently don't care? ) Ok now you don't have to do a patch. I had asked because sometimes a patch would better describe what would be done, especially for abstract concepts like ugliness of code. As Alfred recently posted in a different thread, you may have a great idea in your mind but without the same background knowledge it's sometimes hard for others to understand it. > In few words, it less ugly because it 1) will be public API, 2) > will restrict all possibe future dlopen() usage (f.e. someday tar, > which used in some ftpds, can use dlopen() to load its formats > etc.) > >> We discussed a change like this but IIRC it was rejected because >> the affected surface is too broad and we wanted to limit it to >> just the implicit dlopen()s to avoid breaking legitimate >> applications. > > Instead of total disabling we can (by calling rtld function) > restrict dlopen() in ftpd() to absolute path of know safe > directories list like "/etc" "/lib" "/usr/lib" etc. This just came back to the origin!! These "safe" locations are never necessarily be safe inside a chroot environment and the issue was exactly loading a library underneath /lib/. I just realized that someone have removed some details from my advisory draft by the way. To clarify: the chroot issue is not about the usual usage of chroot, but the fact that many chroot setups are not safe (e.g. "recommended" practice is to create a user writable directory under the chroot root with everything else read-only). Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78ymMACgkQOfuToMruuMDKhgCffQHNVz8y3IhnXp18m6OW7/LZ FrMAn0SgW++iSd7d8LsAql/1y1tX8MjV =zzYY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:30:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8623B106564A; Thu, 29 Dec 2011 20:30:24 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 65D988FC1F; Thu, 29 Dec 2011 20:30:24 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 2D6EC11241; Thu, 29 Dec 2011 12:30:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325190624; bh=DFmS/rtpjg8mUXYmfW9z9ihsegqhMcQcHhAYCHshmww=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=lVktTMawKn9kGOiKTpeJdRDMBIHaDX6VC4MmxOoS5UXMMA9yX4eVBby4qmkDle/tj rwUVBfTVVf7i2HInyCRmV2lYWUdjPX2YRJU0jSIyWATvICmmu3EQqT58pK7y+U0Ojo bNg3QD6iAzuHMeLO1gnvoS6Aim/+zb1/ZR+K4JXk= Message-ID: <4EFCCDDF.5080602@delphij.net> Date: Thu, 29 Dec 2011 12:30:23 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: John Baldwin References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291400.41075.jhb@freebsd.org> <201112291435.03493.jhb@freebsd.org> In-Reply-To: <201112291435.03493.jhb@freebsd.org> X-Enigmail-Version: undefined Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Doug Barton , d@delphij.net Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:30:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 11:35, John Baldwin wrote: > On Thursday, December 29, 2011 2:10:37 pm Xin LI wrote: >> On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin >> wrote: >>> On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote: >>>> On 12/29/11 10:43, John Baldwin wrote: >>>>> On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: >>>>>> On 12/29/11 06:39, John Baldwin wrote: >>>>>>> Can you give some more details on why ftpd is >>>>>>> triggering a dlopen inside of the chroot? It would >>>>>>> appear that that is unrelated to helper programs (since >>>>>>> setting a flag in libc in ftpd can't possibly affect >>>>>>> helper programs ability to use dlopen() from within >>>>>>> libc). >>>>>> >>>>>> Sure. That's because nsdispatch(3) would reload >>>>>> /etc/nsswitch.conf if it notices a change. After >>>>>> chroot() the file is considered as "chang"ed and thus it >>>>>> reloads the file as well as designated shared libraries. >>>>> >>>>> But ftpd has to be doing some operation that invokes an nss >>>>> lookup after entering the chroot for that to trigger, >>>>> correct? >>>> >>>> Oh ok, that was the built-in ls(1). >>> >>> Were we not able to drop privilege before doing that? I.e. if >>> you forked a new process that dropped privilege before doing >>> the ls (similar to if you were to exec /bin/ls as a helper), >>> would that not have fixed this? >> >> No, it won't. This is arbitrary code execution and not just >> privilege escalation :( > > So how is there not still a problem for helper programs? Is ls the > only way a user can initiate a helper program? Hmm, looks like > ftpd will only ever invoke ls, and thus only ls_main(), so there's > lots of dead code (e.g. where ftpd invokes execv() in ftpd_popen() > is a dead code path). That clears up some confusion on my part as > I didn't understand why it was ok to execute arbitrary programs > from ftpd but the built-in ls was special. I still find the symbol > name incredibly ugly. Another route might have been set an env > var It is ugly. > to disable use of dlopen() in libc. That would have worked even if > ftpd invoked an external program, whereas the built-in ls is now > key to security and no longer a simple optimization. I think it's not an optimization but how ftpd would work in chroot environment without a partial or full blown FreeBSD inside chroot setup? Otherwise one will not be able to do 'ls' if user was chroot. Using an environment variable may be not a good idea since it can be easily overridden, and I think if the program runs something inside the chroot, the jailed chroot would have more proper setup to avoid this type of attack? Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78zd8ACgkQOfuToMruuMBIBgCfapRMEUnaC+g7EYScfUyeQxpk QgAAnRkTnU0fcgCbbfbOJ+94MiOhN5bP =43gY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:35:23 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1361F106566C; Thu, 29 Dec 2011 20:35:23 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 7964C8FC15; Thu, 29 Dec 2011 20:35:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTKZG58051235; Fri, 30 Dec 2011 00:35:16 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTKZGeJ051234; Fri, 30 Dec 2011 00:35:16 +0400 (MSK) (envelope-from ache) Date: Fri, 30 Dec 2011 00:35:16 +0400 From: Andrey Chernov To: d@delphij.net Message-ID: <20111229203515.GA51102@vniz.net> Mail-Followup-To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <20111229183606.GA48785@vniz.net> <4EFCBC60.3080607@delphij.net> <20111229194229.GA49908@vniz.net> <4EFCCA63.5070409@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EFCCA63.5070409@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , John Baldwin Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:35:23 -0000 On Thu, Dec 29, 2011 at 12:15:31PM -0800, Xin Li wrote: > > Instead of total disabling we can (by calling rtld function) > > restrict dlopen() in ftpd() to absolute path of know safe > > directories list like "/etc" "/lib" "/usr/lib" etc. > > This just came back to the origin!! These "safe" locations are never > necessarily be safe inside a chroot environment and the issue was > exactly loading a library underneath /lib/. > > I just realized that someone have removed some details from my > advisory draft by the way. To clarify: the chroot issue is not about > the usual usage of chroot, but the fact that many chroot setups are > not safe (e.g. "recommended" practice is to create a user writable > directory under the chroot root with everything else read-only). Unsecure (non-root /lib) may happens by admin mistake which is very different situation from loading .so from the current (say /incoming/) directory. We can't provide babysitting for every admin by our code, but can by our documentation only (probably by repeating the same thing in ftpd docs and chroot docs). And many admins don't needs babysitting and may take it as unnecessary restriction. -- http://ache.vniz.net/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:46:43 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEAA6106564A; Thu, 29 Dec 2011 20:46:43 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 5F7EB8FC0A; Thu, 29 Dec 2011 20:46:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTKkbuM053478; Fri, 30 Dec 2011 00:46:37 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTKkb5W053477; Fri, 30 Dec 2011 00:46:37 +0400 (MSK) (envelope-from ache) Date: Fri, 30 Dec 2011 00:46:37 +0400 From: Andrey Chernov To: d@delphij.net Message-ID: <20111229204637.GB51102@vniz.net> Mail-Followup-To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291400.41075.jhb@freebsd.org> <201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <4EFCCDDF.5080602@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , John Baldwin Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:46:44 -0000 On Thu, Dec 29, 2011 at 12:30:23PM -0800, Xin Li wrote: > >> On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin > > Another route might have been set an env > > var I already suggest it as one of possible ways. > Using an environment variable may be not a good idea since it can be > easily overridden, and I think if the program runs something inside > the chroot, the jailed chroot would have more proper setup to avoid > this type of attack? In case user (more precisely, ftpd) runs any program which resides in=20 /incoming/, nothing helps in anycase. In case ftpd runs known programs=20 =66rom known locations only, it can't be overriden because known program=20 (say, ls) is not malicious by itself and can be turned malicious only by=20 loading .so from current directory, which env variable prevents. --=20 http://ache.vniz.net/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 20:54:24 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D848C106564A; Thu, 29 Dec 2011 20:54:24 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id B6CF78FC08; Thu, 29 Dec 2011 20:54:24 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 74DE711490; Thu, 29 Dec 2011 12:54:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325192064; bh=h0Pf8Z5YuQZwdwXyiKI9I0WKCWh/hXsilweNTGln7Nc=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=bEyQJ+cI823i/ufRtJ5sIpcwm/86sMcFj3r4zlj2oLMSoi2qzt9G9gTrNsU7U6XUG T1G5neIRZyA7jfCc8xgw6kLFy+zkJeRImcy//q844yDX1E7tSIiQ1RI0I3vbgZ9kev KnwTl+tuM7+QrLV75w9/A9KdBiOHV6fXrykDQcoQ= Message-ID: <4EFCD37F.5030401@delphij.net> Date: Thu, 29 Dec 2011 12:54:23 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291400.41075.jhb@freebsd.org> <201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net> <20111229204637.GB51102@vniz.net> In-Reply-To: <20111229204637.GB51102@vniz.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 20:54:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 12:46, Andrey Chernov wrote: [...] > In case user (more precisely, ftpd) runs any program which resides > in /incoming/, nothing helps in anycase. In case ftpd runs known > programs from known locations only, it can't be overriden because > known program No it doesn't run external programs. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78038ACgkQOfuToMruuMAx/ACeMLaZ8Hhus7mAS91K+eetFZ55 rpQAnioyWJDJKwW37ZmR3IAui9BBD24G =LG9e -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 21:02:03 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FD1B106566B; Thu, 29 Dec 2011 21:02:03 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id B69F98FC0C; Thu, 29 Dec 2011 21:02:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTL1vbW060214; Fri, 30 Dec 2011 01:01:57 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTL1vXF060213; Fri, 30 Dec 2011 01:01:57 +0400 (MSK) (envelope-from ache) Date: Fri, 30 Dec 2011 01:01:56 +0400 From: Andrey Chernov To: d@delphij.net Message-ID: <20111229210156.GA58409@vniz.net> Mail-Followup-To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291400.41075.jhb@freebsd.org> <201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net> <20111229204637.GB51102@vniz.net> <4EFCD37F.5030401@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EFCD37F.5030401@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , John Baldwin Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 21:02:03 -0000 On Thu, Dec 29, 2011 at 12:54:23PM -0800, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/29/11 12:46, Andrey Chernov wrote: > [...] > > In case user (more precisely, ftpd) runs any program which resides > > in /incoming/, nothing helps in anycase. In case ftpd runs known > > programs from known locations only, it can't be overriden because > > known program > > No it doesn't run external programs. I know) So, there are two problems as result: 1) Wrong chroot() setup (i.e. all program and directories are owned by user, not by root). The way to fight it is better explanation in both chroot(2) and ftpd(8) man pages. 2) Loading .so from the current directory. This should be fixed in the code by either calling rtld function or rtld env variable. -- http://ache.vniz.net/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 21:21:04 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA146106566C; Thu, 29 Dec 2011 21:21:04 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 89A5E8FC0A; Thu, 29 Dec 2011 21:21:04 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id 0EABE46B09; Thu, 29 Dec 2011 16:21:04 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 95F4FB915; Thu, 29 Dec 2011 16:21:03 -0500 (EST) From: John Baldwin To: d@delphij.net Date: Thu, 29 Dec 2011 16:17:04 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net> In-Reply-To: <4EFCCDDF.5080602@delphij.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201112291617.05113.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 29 Dec 2011 16:21:03 -0500 (EST) Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 21:21:05 -0000 On Thursday, December 29, 2011 3:30:23 pm Xin Li wrote: > On 12/29/11 11:35, John Baldwin wrote: > > On Thursday, December 29, 2011 2:10:37 pm Xin LI wrote: > >> On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin > >> wrote: > >>> On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote: > >>>> On 12/29/11 10:43, John Baldwin wrote: > >>>>> On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: > >>>>>> On 12/29/11 06:39, John Baldwin wrote: > >>>>>>> Can you give some more details on why ftpd is > >>>>>>> triggering a dlopen inside of the chroot? It would > >>>>>>> appear that that is unrelated to helper programs (since > >>>>>>> setting a flag in libc in ftpd can't possibly affect > >>>>>>> helper programs ability to use dlopen() from within > >>>>>>> libc). > >>>>>> > >>>>>> Sure. That's because nsdispatch(3) would reload > >>>>>> /etc/nsswitch.conf if it notices a change. After > >>>>>> chroot() the file is considered as "chang"ed and thus it > >>>>>> reloads the file as well as designated shared libraries. > >>>>> > >>>>> But ftpd has to be doing some operation that invokes an nss > >>>>> lookup after entering the chroot for that to trigger, > >>>>> correct? > >>>> > >>>> Oh ok, that was the built-in ls(1). > >>> > >>> Were we not able to drop privilege before doing that? I.e. if > >>> you forked a new process that dropped privilege before doing > >>> the ls (similar to if you were to exec /bin/ls as a helper), > >>> would that not have fixed this? > >> > >> No, it won't. This is arbitrary code execution and not just > >> privilege escalation :( > > > > So how is there not still a problem for helper programs? Is ls the > > only way a user can initiate a helper program? Hmm, looks like > > ftpd will only ever invoke ls, and thus only ls_main(), so there's > > lots of dead code (e.g. where ftpd invokes execv() in ftpd_popen() > > is a dead code path). That clears up some confusion on my part as > > I didn't understand why it was ok to execute arbitrary programs > > from ftpd but the built-in ls was special. I still find the symbol > > name incredibly ugly. Another route might have been set an env > > var > > It is ugly. > > > to disable use of dlopen() in libc. That would have worked even if > > ftpd invoked an external program, whereas the built-in ls is now > > key to security and no longer a simple optimization. > > I think it's not an optimization but how ftpd would work in chroot > environment without a partial or full blown FreeBSD inside chroot > setup? Otherwise one will not be able to do 'ls' if user was chroot. Presumably one could do a static ls. Even with the built-in ls we create a dummy passwd/group file for the anonymous chroot by default. I agree a built-in ls is strictly better, however. I would also be fine with removing all notion of execv for helper programs from ftpd and have it only ever use the built-in ls via ftpd_popen(). > Using an environment variable may be not a good idea since it can be > easily overridden, and I think if the program runs something inside > the chroot, the jailed chroot would have more proper setup to avoid > this type of attack? Well, it would not be possible to override it in the immediate process being executed. Right now that case is not handled at all. However, I do think that this mostly falls down to creating "safe" chroot / jail areas rather than the OS being able to defend unsafe areas. -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 21:30:44 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1982106566B; Thu, 29 Dec 2011 21:30:44 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 351528FC14; Thu, 29 Dec 2011 21:30:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.5/8.14.5) with ESMTP id pBTLUc8h072431; Fri, 30 Dec 2011 01:30:38 +0400 (MSK) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.5/8.14.5/Submit) id pBTLUcAX072430; Fri, 30 Dec 2011 01:30:38 +0400 (MSK) (envelope-from ache) Date: Fri, 30 Dec 2011 01:30:38 +0400 From: Andrey Chernov To: John Baldwin Message-ID: <20111229213038.GA69220@vniz.net> Mail-Followup-To: Andrey Chernov , John Baldwin , d@delphij.net, freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291435.03493.jhb@freebsd.org> <4EFCCDDF.5080602@delphij.net> <201112291617.05113.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201112291617.05113.jhb@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.ORG, Doug Barton , d@delphij.net Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 21:30:44 -0000 On Thu, Dec 29, 2011 at 04:17:04PM -0500, John Baldwin wrote: > Presumably one could do a static ls. Even with the built-in ls we > create a dummy passwd/group file for the anonymous chroot by default. > I agree a built-in ls is strictly better, however. I would also be > fine with removing all notion of execv for helper programs from ftpd > and have it only ever use the built-in ls via ftpd_popen(). Don't think about our ftpd only. Other ones calls date(1), tar(1), etc. > However, > I do think that this mostly falls down to creating "safe" chroot / jail > areas rather than the OS being able to defend unsafe areas. I agree. We can describe safe way better in our documentation, but can't prevent foot shooting without penalty for "good" admins. Bad example is M$ Windows which tries to prevent foot shooting from _inside_ the system by greedy and annoying permanent antivirus monitoring. -- http://ache.vniz.net/ From owner-freebsd-security@FreeBSD.ORG Fri Dec 30 13:10:42 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AB6F1065680 for ; Fri, 30 Dec 2011 13:10:42 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id B39738FC08 for ; Fri, 30 Dec 2011 13:10:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from flashback.wenks.ch (fabian@flashback.wenks.ch [62.12.173.4]) (authenticated bits=0) by batman.home4u.ch (8.14.4/8.14.4) with ESMTP id pBUDAc1v066582 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 30 Dec 2011 14:10:39 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <4EFDB84E.5040100@wenks.ch> Date: Fri, 30 Dec 2011 14:10:38 +0100 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.25) Gecko/20111213 Thunderbird/3.1.17 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <201112231536.pBNFaoj3078926@freefall.freebsd.org> <4EFCB7E9.1040506@delphij.net> <89DD399E-DCCA-4C4A-BFB9-3990E6720C75@patpro.net> In-Reply-To: <89DD399E-DCCA-4C4A-BFB9-3990E6720C75@patpro.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2011 13:10:42 -0000 Hello Patrick On 29.12.2011 21:06, Patrick Proniewski wrote: >>> No updates needed to update system to 8.1-RELEASE-p7. >>> >>> # uname -r 8.1-RELEASE-p5 > I have rebooted (twice). That's strange. The -pX will only be updated when the kernel has been rebuilt. It is in /usr/src/sys/conf/newvers.sh (on my FreeBSD 7.4-RELEASE-p5) with: TYPE="FreeBSD" REVISION="7.4" BRANCH="RELEASE-p5" The FreeBSD Security Advisories also list this file in the "VI. Correction details" section. bye Fabian