From: Romain Naour <romain.naour@openwide.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/2] openvmtools: add patch to defend from lsb path walking attack
Date: Sun, 08 Mar 2015 22:24:04 +0100 [thread overview]
Message-ID: <54FCBDF4.1050607@openwide.fr> (raw)
In-Reply-To: <1424902476-24448-2-git-send-email-kaszak@gmail.com>
Hi Karoly,
Le 25/02/2015 23:14, Karoly Kasza a ?crit :
> Add patch to defend lsb from path walking attack.
> Originally from Debian.
>
> Signed-off-by: Karoly Kasza <kaszak@gmail.com>
> ---
> package/openvmtools/0009-lsb.patch | 106 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 106 insertions(+)
> create mode 100644 package/openvmtools/0009-lsb.patch
>
> diff --git a/package/openvmtools/0009-lsb.patch b/package/openvmtools/0009-lsb.patch
> new file mode 100644
> index 0000000..54c3232
> --- /dev/null
> +++ b/package/openvmtools/0009-lsb.patch
> @@ -0,0 +1,106 @@
> +Upsteam Debian patch to defend openvmtools against path walking.
> +
> +Original description:
> +
> +From 3a9f2297a82b9c109e894b5f8ea17753e68830ac Mon Sep 17 00:00:00 2001
> +From: "VMware, Inc" <>
> +Date: Tue, 17 Sep 2013 20:39:34 -0700
> +Subject: [PATCH] Harden HostinfoOSData against $PATH attacks.
> +
> +We are doing a popen("lsb_release... ") when attempting to
> +determine host details in hostinfoPosix.c. Using popen means that
> +$PATH is walked when looking for the lsb_release binary, and that
> +may give an attacker the ability to run a malicious version of
> +lsb_release.
> +
> +This change does two things,
> +
> +a) Hard code the path to lsb_release. I've searched around
> + the web and I believe the path is always "/usr/bin/lsb_release"
> + so let's not leave this up to chance.
> +
> +b) Stop running HostinfoGetCmdOutput with elevated privileges. Drop
> + to non-root when possible. If someone sneaks in a new call to
> + HostinfoGetCmdOutput and doesn't use a full path, then we will
> + hopefully avoid a firedrill. I'm only applying this to Linux
> + because the Fusion build barfed when I tried to compile with
> + without the vmx86_linux.
> +
> +I think either (a) or (b) would be enough but I'm doing both,
> +because each individually is correct. Also note that in the blog
> +post by Tavis Ormandy calls out doing (a) as not enough,
> + http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
> +His example uses a bash feature that allows functions to be
> +exported. I haven't been able to get that to work on my Ubuntu
> +machine.
> +
> +To test I'm manually run Linux WS and Fusion and verified that
> +the logs look correct.
> +
> +Signed-off-by: Dmitry Torokhov <dtor@vmware.com>
> +
> +Signed-off-by: Karoly Kasza <kaszak@gmail.com>
> +
> +---
> + open-vm-tools/lib/misc/hostinfoPosix.c | 23 +++++++++++++++++++----
> + 1 file changed, 19 insertions(+), 4 deletions(-)
> +
> +--- a/lib/misc/hostinfoPosix.c
> ++++ b/lib/misc/hostinfoPosix.c
> +@@ -800,17 +800,27 @@ out:
> + static char *
> + HostinfoGetCmdOutput(const char *cmd) // IN:
> + {
> ++ Bool isSuperUser = FALSE;
> + DynBuf db;
> + FILE *stream;
> + char *out = NULL;
> +
> ++ /*
> ++ * Attempt to lower privs, because we use popen and an attacker
> ++ * may control $PATH.
> ++ */
> ++ if (vmx86_linux && Id_IsSuperUser()) {
> ++ Id_EndSuperUser(getuid());
> ++ isSuperUser = TRUE;
> ++ }
> ++
> + DynBuf_Init(&db);
> +
> + stream = Posix_Popen(cmd, "r");
> + if (stream == NULL) {
> + Warning("Unable to get output of command \"%s\"\n", cmd);
> +
> +- return NULL;
> ++ goto exit;
> + }
> +
> + for (;;) {
> +@@ -844,11 +854,16 @@ HostinfoGetCmdOutput(const char *cmd) /
> + if (DynBuf_Get(&db)) {
> + out = (char *) DynBuf_AllocGet(&db);
> + }
> +- closeIt:
> +- DynBuf_Destroy(&db);
> +
> ++ closeIt:
> + pclose(stream);
> +
> ++ exit:
> ++ DynBuf_Destroy(&db);
> ++
> ++ if (isSuperUser) {
> ++ Id_BeginSuperUser();
> ++ }
> + return out;
> + }
> +
> +@@ -967,7 +982,7 @@ HostinfoOSData(void)
> + * Try to get OS detailed information from the lsb_release command.
> + */
> +
> +- lsbOutput = HostinfoGetCmdOutput("lsb_release -sd 2>/dev/null");
> ++ lsbOutput = HostinfoGetCmdOutput("/usr/bin/lsb_release -sd 2>/dev/null");
> + if (!lsbOutput) {
> + int i;
> +
>
Although we don't have a lsb package in Buildroot, this patch looks good.
Reviewed-by: Romain Naour <romain.naour@openwide.fr>
Best regards,
Romain
next prev parent reply other threads:[~2015-03-08 21:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-25 22:14 [Buildroot] [PATCH 1/2] openvmtools: add patch to use KVERS instead of shell exec Karoly Kasza
2015-02-25 22:14 ` [Buildroot] [PATCH 2/2] openvmtools: add patch to defend from lsb path walking attack Karoly Kasza
2015-03-08 21:24 ` Romain Naour [this message]
2015-03-08 21:39 ` [Buildroot] [PATCH 1/2] openvmtools: add patch to use KVERS instead of shell exec Romain Naour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FCBDF4.1050607@openwide.fr \
--to=romain.naour@openwide.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.