Headline
CVE-2014-0181: '[PATCH 0/5]: Preventing abuse when passing file descriptors'
The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.
[prev in list] [next in list] [prev in thread] [next in thread] List: linux-netdev Subject: [PATCH 0/5]: Preventing abuse when passing file descriptors From: ebiederm () xmission ! com (Eric W ! Biederman) Date: 2014-04-23 21:24:47 Message-ID: 87a9bbeo2o.fsf_-_ () x220 ! int ! ebiederm ! org [Download RAW message or body]
Andy Lutomirski when looking at the networking stack noticed that it is possible to trick privilged processes into calling write on a netlink socket and send netlink messages they did not intend.
In particular from time to time there are suid applications that will write to stdout or stderr without checking exactly what kind of file descriptors those are and can be tricked into acting as a limited form of suid cat. In other conversations the magic string CVE-2014-0181 has been used to talk about this issue.
This patchset cleans things up a bit, adds some clean abstractions that when used prevent this kind of problem and then finally changes all of the handlers of netlink messages that I could find that call capable to use netlink_ns_capable or an appropriate wrapper.
The abstraction netlink_ns_capable verifies that the original creator of the netlink socket a message is sent from had the necessary capabilities as well as verifying that the current sender of a netlink packet has the necessary capabilities.
The idea is to prevent file descriptor passing of any form from resulting in a file descriptor that can do more than it can for the creator of the file descriptor.
Eric W. Biederman (5): netlink: Rename netlink_capable netlink_allowed net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump net: Add variants of capable for use on on sockets net: Add variants of capable for use on netlink messages net: Use netlink_ns_capable to verify the permisions of netlink messages
crypto/crypto_user.c | 2 ± drivers/connector/cn_proc.c | 2 ± drivers/scsi/scsi_netlink.c | 2 ± include/linux/netlink.h | 7 ++++ include/linux/sock_diag.h | 2 ± include/net/sock.h | 5 +++ kernel/audit.c | 4 ±- net/can/gw.c | 4 ±- net/core/rtnetlink.c | 20 +++++±---- net/core/sock.c | 49 +++++++++++++++++++++++++++ net/core/sock_diag.c | 4 ±- net/dcb/dcbnl.c | 2 ± net/decnet/dn_dev.c | 4 ±- net/decnet/dn_fib.c | 4 ±- net/decnet/netfilter/dn_rtmsg.c | 2 ± net/netfilter/nfnetlink.c | 2 ± net/netlink/af_netlink.c | 75 +++++++++++++++++++++++++++++++++++++±– net/netlink/genetlink.c | 2 ± net/packet/diag.c | 7 ++± net/phonet/pn_netlink.c | 8 +±– net/sched/act_api.c | 2 ± net/sched/cls_api.c | 2 ± net/sched/sch_api.c | 6 +±- net/tipc/netlink.c | 2 ± net/xfrm/xfrm_user.c | 2 ± 25 files changed, 177 insertions(+), 44 deletions(-)
Eric
To unsubscribe from this list: send the line “unsubscribe netdev” in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html [prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic
Related news
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.