From: "Theodore Ts'o" <tytso@mit.edu>
To: LidongLI <wirelessdonghack@gmail.com>
Cc: gregkh@linuxfoundation.org, kvalo@kernel.org,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
linux-wireless@vger.kernel.org, mark.esler@canonical.com,
stf_xl@wp.pl
Subject: Re: Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability
Date: Mon, 5 Aug 2024 23:06:19 -0400 [thread overview]
Message-ID: <20240806030619.GB1008477@mit.edu> (raw)
In-Reply-To: <20240806015904.1004435-1-wirelessdonghack@gmail.com>
On Tue, Aug 06, 2024 at 09:59:04AM +0800, LidongLI wrote:
>
> Yes, as you mentioned, it requires users to create their own udev
> rules, which is not common among Ubuntu personal users. However, in
> some non-personal user scenarios, they must pre-add udev rules to
> meet their needs. A simple example: in some Ubuntu embedded Linux
> scenarios, we found that when starting a wireless hotspot,
> developers must configure udev rules to ensure a stable connection,
> enable auto-loading of drivers, or auto-run or write USB-based
> auto-configuration scripts.
Yes, but when the user is setting up their own udev rules, they are
editing them as root (e.g, "sudo nano /etc/udev/rules.d/").
But in your exploit scenario, the *attacker* needs to be able to
insert a specific udev rule to allow the attack to succeed. So that
means that the attacker needs to be able to manipulate the user to
insert a udev rule which allows the attacker to acarry out the attack,
or the user has left the udev rule file in such a way that it is
writeable by the attacker. But in that case, the attacker can just
edit the udev rule to arrange to run some script as root, ad it's
already game over.
Your argument is roughly the same as "sudo is a vulerability because
the attacker could run (or trick the user to run) the command 'sudo
chmod 4755 /bin/bash'. Well yes, if the attacker can arrange to run a
particular command as root, it's game over. But that's not a security
bug, but rather a bug in the gullible user who has root access.
Similarly, if the user has a insecure configuration --- say, suppose
the user has run the command "sudo chmod 4755 /bin/bash", it does not
follow that this is a reason to request a CVE for /bin/bash. It's not
really a security bug in /bin/bash, but a bug in how /bin/bash was
confiured.
Cheers,
- Ted
next prev parent reply other threads:[~2024-08-06 3:06 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 7:57 Ubuntu RT2X00 WIFI USB Driver Kernel NULL pointer Dereference&Use-After-Free Vulnerability color Ice
2024-08-02 8:19 ` Mark Esler
2024-08-02 21:03 ` Kalle Valo
2024-08-03 5:42 ` color Ice
2024-08-03 6:31 ` Greg KH
2024-08-03 7:57 ` LidongLI
2024-08-05 2:18 ` LidongLI
2024-08-05 2:20 ` LidongLI
2024-08-05 6:55 ` Greg KH
2024-08-05 8:33 ` LidongLI
2024-08-05 18:33 ` Greg KH
2024-08-05 18:37 ` Greg KH
2024-08-06 1:59 ` LidongLI
2024-08-06 3:06 ` Theodore Ts'o [this message]
2024-08-06 13:38 ` Alan Stern
[not found] ` <CAOV16XF8cEg7+HAFQiCUrt9-Dp4M+-TANjQqRXH87AAdgzmNMg@mail.gmail.com>
2024-08-06 18:36 ` Alan Stern
2024-08-07 1:56 ` color Ice
2024-08-06 2:34 ` LidongLI
2024-08-06 3:54 ` LidongLI
2024-08-06 6:34 ` Greg KH
2024-08-06 6:35 ` Greg KH
2024-08-06 12:45 ` Theodore Ts'o
2024-08-07 2:11 ` LidongLI
2024-08-14 5:58 ` LidongLI
2024-08-14 14:55 ` Alan Stern
2024-08-19 10:49 ` color Ice
2024-08-19 10:56 ` Greg KH
[not found] ` <CAOV16XFYeWdT4tSpLWoE+pCVsNERXKJQCJvJovrfsgMn1PMzbA@mail.gmail.com>
2024-08-19 17:43 ` Greg KH
2024-08-21 8:25 ` color Ice
2024-08-21 14:06 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240806030619.GB1008477@mit.edu \
--to=tytso@mit.edu \
--cc=gregkh@linuxfoundation.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mark.esler@canonical.com \
--cc=stf_xl@wp.pl \
--cc=wirelessdonghack@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).