From owner-freebsd-security@FreeBSD.ORG Sun Aug 1 05:09:59 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 149061066519 for ; Sun, 1 Aug 2010 05:09:39 +0000 (UTC) (envelope-from chris.walker@velocitum.com) Received: from asav3.lyse.net (asav3.lyse.net [81.167.37.131]) by mx1.freebsd.org (Postfix) with ESMTP id 877618FC1D for ; Sun, 1 Aug 2010 05:09:38 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by asav3.lyse.net (Postfix) with ESMTP id 2FF8584360; Sun, 1 Aug 2010 07:09:37 +0200 (CEST) X-Virus-Scanned: amavisd-new at lyse.net Received: from [192.168.1.102] (173.81-167-5.customer.lyse.net [81.167.5.173]) by asav3.lyse.net (Postfix) with ESMTP id A9A9584189; Sun, 1 Aug 2010 07:09:35 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1078) Content-Type: text/plain; charset=iso-8859-1 From: Chris Walker In-Reply-To: <4C545DB0.6020901@xzibition.com> Date: Sun, 1 Aug 2010 07:06:36 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <023E2510-6766-4844-857B-1ACBA53C871E@velocitum.com> References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> <20100731124136.GN22295@deviant.kiev.zoral.com.ua> <4C545DB0.6020901@xzibition.com> To: Bryan Drewery X-Mailer: Apple Mail (2.1078) X-Mailman-Approved-At: Sun, 01 Aug 2010 05:19:38 +0000 Cc: Kostik Belousov , =?iso-8859-1?Q?Istv=E1n?= , Selphie Keller , freebsd-security Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Aug 2010 05:09:59 -0000 Bryan, it is merely a statement of facts. Another statement of facts: Your kernel module to remove sendfile = syscall breaks a ton of applications. The right thing to do is _always_ to patch properly. In this case it = would be either: Patch your kernel and reboot *or* load a replacement = call. The recommended approach by the FreeBSD security officer is = obviously to patch up and reboot. Removing a syscall because you want to = maintain uptime on the shell provider you run is just ludacris. That = said, there is already functionality in place to prevent this. MAC = framework springs to mind. :) If you are interested in a flamewar you have my email, let's keep it = off-list. thanks. On Jul 31, 2010, at 7:30 PM, Bryan Drewery wrote: > The module/change never proposed to stop the exploit. There's no = reason > to attack someone trying to help the community. It's merely adding on > top of the already existing securelevel restrictions, such as chflags > restrictions. It makes a lot of sense to restrict setuid/setgid when = in > securelevel, based on the fact that flags are as well. >=20 > But maybe securelevel should just be removed? By your arguments it's > useless, makes the system unstable and gives a false sense of = security. >=20 > Bryan >=20 > On 7/31/2010 10:39 AM, Chris Walker wrote: >> Hi list >>=20 >> #1 Not same exploit referenced in URL. >> #2 Not same bug, although you had the function right, sort of. >> #3 That kernel module is useless: The exploit in the wild has already = changed to bypass such restriction. >> #4 The bug is already patched, upgrade your kernel. >> #5 If you intend on introducing a kernel module that potentially = makes your system unstable, make sure it actually fixes the bug. This = workaround merely made the exploit grow more lethal, and provides a = FALSE sense of a security, and as such I would *STRONGLY* discourage use = of this kernel module. >>=20 >> This is a perfect example of why software developers never ever will = be able to fight blackhat hackers: Ignorance. >>=20 >> Thanks. >>=20 >> On Jul 31, 2010, at 2:59 PM, Istv=E1n wrote: >>=20 >>> http://www.securiteam.com/exploits/6P00C00EKO.html >>>=20 >>> HTH >>>=20 >>> On Sat, Jul 31, 2010 at 1:41 PM, Kostik Belousov = wrote: >>>=20 >>>> On Fri, Jul 30, 2010 at 11:18:39PM -0700, Selphie Keller wrote: >>>>> Kernel module for chmod restrictions while in securelevel one or = higher: >>>>> http://gist.github.com/501800 (fbsd 8.x) >>>>>=20 >>>>> Was looking at the new recent sendfile/mbuf exploit and it was = using a >>>>> shellcode that calls chmod syscall to make a setuid/setgid binary. >>>> However >>>> Can you point to the exploit (code) ? >>>>=20 >>>=20 >>>=20 >>> --=20 >>> the sun shines for all >>>=20 >>> http://l1xl1x.blogspot.com >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >>>=20 >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 From owner-freebsd-security@FreeBSD.ORG Wed Aug 4 22:58:57 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAE5D1065679 for ; Wed, 4 Aug 2010 22:58:57 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 845E28FC1D for ; Wed, 4 Aug 2010 22:58:57 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 0158946BA4; Wed, 4 Aug 2010 18:58:57 -0400 (EDT) Date: Wed, 4 Aug 2010 23:58:56 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Selphie Keller In-Reply-To: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> Message-ID: References: <235BB726E71747BA980A0EF60F76ED37@2WIRE304> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: kernel module for chmod restrictions while in securelevel one or higher X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 22:58:57 -0000 On Fri, 30 Jul 2010, Selphie Keller wrote: > Kernel module for chmod restrictions while in securelevel one or higher: > http://gist.github.com/501800 (fbsd 8.x) > > Was looking at the new recent sendfile/mbuf exploit and it was using a > shellcode that calls chmod syscall to make a setuid/setgid binary. However > was thinking of ways to block the creation of suid/sgid binaries if the > machine is in a securelevel, beyond the normal things like nosuid/noexec > mount flags for /tmp. > > So came up with this quick module to handle it, but the concept of > restricting the creation of suid/sgid binaries while in securelevel seems > like a good idea to be part of the base. While I'm not convinced this approach is a good idea (the remainder of the thread suggests some reasons why), a better way to implement the same policy would be to use the MAC Framework's mpo_vnode_check_setmode entry point. This would catch all the chmod variations, including ones in compatibility ABIs such as the Linux ABI. Robert