Re: type transitioning script race condition?

[Klaus Weidner <klaus@atsec.com>]

On Thu, Aug 31, 2006 at 11:29:24AM -0400, Karl MacMillan wrote:
> Sorry - started one message and sent another. If you embed the script
> (as a string) and interpreter in the C wrapper you can avoid the race.

Yes, the important thing is to ensure that raising the privileges and
picking the thing to execute is a single operation.

> In practice - for the scripts we are discussing - if you have sufficient
> privilege to modify the script or the environment to take advantage of
> the race condition you likely have a more direct attack vector. So the
> environment cleansing seems more important to me.

You don't need to modify the script or have special privileges to exploit
the race condition. A possible example looks like this:

- create link to executable (the link can be one of the path components),
  for example:

	ln -s /usr/sbin /tmp/hack

- execute /tmp/hack/semanage

- kernel looks at label of /tmp/hack/semanage, gets the label of
  /usr/sbin/semanage

- kernel decides to do a domain transition, suid, whatever

- kernel executes: /usr/bin/python /tmp/hack/semanage

- attacker redirects /tmp/hack to /tmp/malicious/ which contains a
  different semanage script

- python opens /tmp/hack/semanage which now resolves to
  /tmp/malicious/semanage

(As an aside, I think in this specific case the AppArmor approach of
making the security decisions based on the path name is actually safer
than using the file label. Time for a flame war about "label based
security considered harmful"? ;-)  But the real solution is to avoid the
race in the first place.)

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.