Re: audit 2.4.4 released

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: audit 2.4.4 released
Date: Fri, 14 Aug 2015 13:04:17 -0400	[thread overview]
Message-ID: <11162124.eJVPhOCAb9@x2> (raw)
In-Reply-To: <55CE17C0.9000307@magitekltd.com>

On Friday, August 14, 2015 09:30:56 AM LC Bruzenak wrote:
> On 08/13/2015 02:30 PM, Steve Grubb wrote:
> > ...
> > 
> > If you ausearch -i on that file, your screen will get underlines with all
> > the text. An attacker could change this to be worse than just underlining
> > your text. They could try to write to the window title and then bounce
> > that back in black on black text to the command prompt hoping the admin
> > will press enter.
>
> Wow; that's something unexpected. Thanks for this extra info Steve; I
> may need to backport to my version.
> Are these changes isolated to the ausearch/aureport code sets or inside
> libs?

Well, that's where it gets complicated. Ausearch was converted to use auparse 
for interpretations a while back. So, I had to patch the whole mess. Any 
utility that uses auparse can also unwittingly pass along terminal escape 
sequences through the interpret function.

So, what I did in auparse is to create a new function: 
auparse_set_escape_mode. It takes one argument which can be any of:

AUPARSE_ESC_RAW - do nothing. Just passes control characters and all.

AUPARSE_ESC_TTY - escape control characters by turning them to octal. This is 
the same thing syslog does. This is the default.

AUPARSE_ESC_SHELL - escape control characters and any of these "'`$\ by 
prepending a \ to the character

AUPARSE_ESC_SHELL_QUOTE - escape control characters and any of these ;'"`#$&*?
[]<>{}\ by prepending a \ to the character.

Once this is set, every  output from auparse is escaped. This will allow 
ausearch/report to shell escape output in a future release. Additionally, it 
was found you could inject control characters by the auditctl command. It now 
prevents that.

So, the patch is rather large and ugly:
https://fedorahosted.org/audit/changeset/1122

You have to be on a susceptible terminal emulator to have any real problems. 
Its for this reason the Security Response Team rates this as low. But in terms 
of audit, you don't want a file path to suddenly change to black on black text 
so that you can't see the full path.

-Steve

     prev parent reply	other threads:[~2015-08-14 17:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-13 21:30 audit 2.4.4 released Steve Grubb
2015-08-14 16:30 ` LC Bruzenak
2015-08-14 17:04   ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=11162124.eJVPhOCAb9@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.