{"id":24,"date":"2008-05-03T22:24:10","date_gmt":"2008-05-03T22:24:10","guid":{"rendered":""},"modified":"2017-03-07T16:18:33","modified_gmt":"2017-03-07T16:18:33","slug":"on_cooperating_and_paludis_vulnerability","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ferdy\/2008\/05\/03\/on_cooperating_and_paludis_vulnerability\/","title":{"rendered":"On cooperating and paludis vulnerability"},"content":{"rendered":"<p>A serious security issue in paludis was brought to my attention recently, and I feel I should make you all aware. Apparently someone, with root access to a machine, can gain root access by installing or editing paludis config files.<\/p>\n<p>For those interested, this is how it happened (times are GMT+1):<\/p>\n<pre>22:34 &lt;@ferdy&gt; bonsaikitten: can you give me any details regarding that\r\n security bug in paludis?\r\n22:35 &lt;+bonsaikitten&gt; ferdy: it's so obvious you should have found it already\r\n22:37 &lt;@ferdy&gt; bonsaikitten: I should, but I probably haven't\r\n22:37 &lt;+bonsaikitten&gt; ferdy: well, as I am a moron I'm unable to coherently explain :)\r\n22:37 &lt;@ferdy&gt; bonsaikitten: I mean, depends on whether we are talking about\r\na real security issue or about something we should document to avoid people\r\nshooting themselves in the foot\r\n22:39 &lt;@ferdy&gt; bonsaikitten: is that all you are going to tell me?\r\n22:39 &lt;+bonsaikitten&gt; ferdy: come on, it's obvious. You're supposed to be smart ...\r\n22:39 * bonsaikitten is not in a mood to explain\r\n22:40 &lt;@ferdy&gt; bonsaikitten: you aren't really talking about the paludisbuild issue, are you?\r\n22:41 &lt;+bonsaikitten&gt; mmh no, that's a different one\r\n22:41 &lt;@ferdy&gt; k\r\n22:41 &lt;@ferdy&gt; bonsaikitten: what are we talking about?\r\n22:42 &lt;@ferdy&gt; bonsaikitten: you don't need to explain it... just say, in general \r\nterms, what the issue is\r\n22:50 &lt;@ferdy&gt; bonsaikitten: so? care to give any useful hint?\r\n22:50 &lt;+bonsaikitten&gt; ferdy: doesn't happen in portage compatibility mode\r\n22:51 &lt;+bonsaikitten&gt; but I blame the vodka, hard to explain when *burp* *giggle*\r\n22:52 &lt;@ferdy&gt; bonsaikitten: what's the impact?\r\n22:53 &lt;+bonsaikitten&gt; ferdy: depends on how annoying the other person is\r\n22:54 &lt;+bonsaikitten&gt; ferdy: worst case random file modification\r\n22:58 &lt;@ferdy&gt; bonsaikitten: and we already agreed that we aren't talking about\r\nthe paludisbuild issue, right?\r\n22:59 &lt;@ferdy&gt; bonsaikitten: if we aren't, I'll need more hints....\r\n23:05 &lt;@ferdy&gt; bonsaikitten: can I get an attack vector?\r\n23:05 &lt;@ferdy&gt; that shouldn't need lots of explaining... I can figure out that\r\npart myself\r\n23:19 &lt;@ferdy&gt; bonsaikitten: have you got that attack vector for me?\r\n23:24 &lt;+bonsaikitten&gt; ferdy: look at configuration files, maybe you notice that\r\nthere's some exquisit code execution possible there\r\n23:29 &lt;@ferdy&gt; bonsaikitten: you mean those config files that only root can\r\nedit? I must be missing something here\r\n23:29 &lt;+bonsaikitten&gt; ferdy: you are :)\r\n23:29 &lt;+bonsaikitten&gt; not much, and it's basically the same flaw bashrc is\r\nfor portage\r\n23:29 &lt;+bonsaikitten&gt; only that bashrc is config_protect'ed ...\r\n23:30 &lt;@ferdy&gt; bonsaikitten: but for a package to clover those files, it must be\r\nin a repo root added, right?\r\n23:31 &lt;+bonsaikitten&gt; someone in the package mangler group, but yes\r\n23:35 &lt;@ferdy&gt; bonsaikitten: but if you can change those files in the first place,\r\nwhy clover them by adding a malicious repo with a malicious package that changes\r\nthose files?\r\n23:35 &lt;+bonsaikitten&gt; ferdy: because it's very subtle\r\n23:36 &lt;@ferdy&gt; moreover, if you can already do that, why not just make the\r\npackage install whatever backdoor you want?\r\n23:37 &lt;@ferdy&gt; I mean, it is subtle, but why would anyone go the 'convoluted'\r\nroute? he is already able to edit those files (since he had to add that repo)\r\n23:38 &lt;+bonsaikitten&gt; 'cause only paludis is affected and you will find it very\r\nhard to trace\r\n23:38 &lt;+bonsaikitten&gt; that makes it so tempting ...\r\n23:40 &lt;+bonsaikitten&gt; just don't be surprised if it suddenly unmerges itself :)\r\n23:41 &lt;@ferdy&gt; yeah... well...\r\n23:41 &lt;@ferdy&gt; bonsaikitten: mind if I disclose this vulnerability in\r\n planet.gentoo.org?\r\n23:42 &lt;+bonsaikitten&gt; go ahead\r\n23:42 &lt;@ferdy&gt; ta\r\n23:42 &lt;+bonsaikitten&gt; 't is even on the features page of the package mangler :)<\/pre>\n<p>This is a good lesson to learn today:<\/p>\n<p><cite>If you can edit files owned by root in a machine, you can get root access to that machine.<\/cite><\/p>\n<p>So the bottom line is: There is no vulnerability, if you can mangle paludis config files, you are already root so you don&#8217;t need to edit a file to run any command you want. Another lesson one can learn by reading that log is how to be really cooperative.<\/p>\n<p>Ah, and before someone with a need to use cheap psychology asks, the intention of this blag post is to stop the <a href=\"http:\/\/gentooexperimental.org\/~patrick\/weblog\/archives\/2008-05.html#e2008-05-03T21_04_56.txt\">FUD<\/a>.<\/p>\n<p>&#8211; ferdy<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A serious security issue in paludis was brought to my attention recently, and I feel I should make you all aware. Apparently someone, with root access to a machine, can gain root access by installing or editing paludis config files. For those interested, this is how it happened (times are GMT+1): 22:34 &lt;@ferdy&gt; bonsaikitten: can &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ferdy\/2008\/05\/03\/on_cooperating_and_paludis_vulnerability\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">On cooperating and paludis vulnerability<\/span><\/a><\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/posts\/24"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":1,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":44,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/posts\/24\/revisions\/44"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/media?parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/categories?post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/tags?post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}