From: Romain Naour <romain.naour@openwide.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/2] openvmtools: add patch to defend from lsb path walking attack
Date: Sun, 08 Mar 2015 22:24:04 +0100 [thread overview]
Message-ID: <54FCBDF4.1050607@openwide.fr> (raw)
In-Reply-To: <1424902476-24448-2-git-send-email-kaszak@gmail.com>
Hi Karoly,
Le 25/02/2015 23:14, Karoly Kasza a ?crit :
> Add patch to defend lsb from path walking attack.
> Originally from Debian.
>
> Signed-off-by: Karoly Kasza <kaszak@gmail.com>
> ---
> package/openvmtools/0009-lsb.patch | 106 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 106 insertions(+)
> create mode 100644 package/openvmtools/0009-lsb.patch
>
> diff --git a/package/openvmtools/0009-lsb.patch b/package/openvmtools/0009-lsb.patch
> new file mode 100644
> index 0000000..54c3232
> --- /dev/null
> +++ b/package/openvmtools/0009-lsb.patch
> @@ -0,0 +1,106 @@
> +Upsteam Debian patch to defend openvmtools against path walking.
> +
> +Original description:
> +
> +From 3a9f2297a82b9c109e894b5f8ea17753e68830ac Mon Sep 17 00:00:00 2001
> +From: "VMware, Inc" <>
> +Date: Tue, 17 Sep 2013 20:39:34 -0700
> +Subject: [PATCH] Harden HostinfoOSData against $PATH attacks.
> +
> +We are doing a popen("lsb_release... ") when attempting to
> +determine host details in hostinfoPosix.c. Using popen means that
> +$PATH is walked when looking for the lsb_release binary, and that
> +may give an attacker the ability to run a malicious version of
> +lsb_release.
> +
> +This change does two things,
> +
> +a) Hard code the path to lsb_release. I've searched around
> + the web and I believe the path is always "/usr/bin/lsb_release"
> + so let's not leave this up to chance.
> +
> +b) Stop running HostinfoGetCmdOutput with elevated privileges. Drop
> + to non-root when possible. If someone sneaks in a new call to
> + HostinfoGetCmdOutput and doesn't use a full path, then we will
> + hopefully avoid a firedrill. I'm only applying this to Linux
> + because the Fusion build barfed when I tried to compile with
> + without the vmx86_linux.
> +
> +I think either (a) or (b) would be enough but I'm doing both,
> +because each individually is correct. Also note that in the blog
> +post by Tavis Ormandy calls out doing (a) as not enough,
> + http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
> +His example uses a bash feature that allows functions to be
> +exported. I haven't been able to get that to work on my Ubuntu
> +machine.
> +
> +To test I'm manually run Linux WS and Fusion and verified that
> +the logs look correct.
> +
> +Signed-off-by: Dmitry Torokhov <dtor@vmware.com>
> +
> +Signed-off-by: Karoly Kasza <kaszak@gmail.com>
> +
> +---
> + open-vm-tools/lib/misc/hostinfoPosix.c | 23 +++++++++++++++++++----
> + 1 file changed, 19 insertions(+), 4 deletions(-)
> +
> +--- a/lib/misc/hostinfoPosix.c
> ++++ b/lib/misc/hostinfoPosix.c
> +@@ -800,17 +800,27 @@ out:
> + static char *
> + HostinfoGetCmdOutput(const char *cmd) // IN:
> + {
> ++ Bool isSuperUser = FALSE;
> + DynBuf db;
> + FILE *stream;
> + char *out = NULL;
> +
> ++ /*
> ++ * Attempt to lower privs, because we use popen and an attacker
> ++ * may control $PATH.
> ++ */
> ++ if (vmx86_linux && Id_IsSuperUser()) {
> ++ Id_EndSuperUser(getuid());
> ++ isSuperUser = TRUE;
> ++ }
> ++
> + DynBuf_Init(&db);
> +
> + stream = Posix_Popen(cmd, "r");
> + if (stream == NULL) {
> + Warning("Unable to get output of command \"%s\"\n", cmd);
> +
> +- return NULL;
> ++ goto exit;
> + }
> +
> + for (;;) {
> +@@ -844,11 +854,16 @@ HostinfoGetCmdOutput(const char *cmd) /
> + if (DynBuf_Get(&db)) {
> + out = (char *) DynBuf_AllocGet(&db);
> + }
> +- closeIt:
> +- DynBuf_Destroy(&db);
> +
> ++ closeIt:
> + pclose(stream);
> +
> ++ exit:
> ++ DynBuf_Destroy(&db);
> ++
> ++ if (isSuperUser) {
> ++ Id_BeginSuperUser();
> ++ }
> + return out;
> + }
> +
> +@@ -967,7 +982,7 @@ HostinfoOSData(void)
> + * Try to get OS detailed information from the lsb_release command.
> + */
> +
> +- lsbOutput = HostinfoGetCmdOutput("lsb_release -sd 2>/dev/null");
> ++ lsbOutput = HostinfoGetCmdOutput("/usr/bin/lsb_release -sd 2>/dev/null");
> + if (!lsbOutput) {
> + int i;
> +
>
Although we don't have a lsb package in Buildroot, this patch looks good.
Reviewed-by: Romain Naour <romain.naour@openwide.fr>
Best regards,
Romain
next prev parent reply other threads:[~2015-03-08 21:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-25 22:14 [Buildroot] [PATCH 1/2] openvmtools: add patch to use KVERS instead of shell exec Karoly Kasza
2015-02-25 22:14 ` [Buildroot] [PATCH 2/2] openvmtools: add patch to defend from lsb path walking attack Karoly Kasza
2015-03-08 21:24 ` Romain Naour [this message]
2015-03-08 21:39 ` [Buildroot] [PATCH 1/2] openvmtools: add patch to use KVERS instead of shell exec Romain Naour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FCBDF4.1050607@openwide.fr \
--to=romain.naour@openwide.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox