PSA: Lunix haz teh bugz
-
-
The way to achieve that is probably discussed in this topic?
https://what.thedailywtf.com/topic/23200/alloca-is-hard
-
As designed, the stack memory region includes a mechanism that expands when a program needs more stack memory; this expansion, however, is a security threat.
Wait, what?
Correct me if I'm wrong, but wouldn't it be easier to just say "any access to stack memory above X is invalid" instead of "check if this specific slice of Stark is being read"?
What am I missing?
-
It also recommends recompiling all userland code with the –fstack-check option which would prevent the stack pointer from moving into other memory regions. Qualys concedes, however, this is an expensive solution, but one that cannot be defeated unless there is an unknown vulnerability in the –fstack-check option.
Oh fuck right off. It's fucking 2017, CPU is literally our least constrained resource. There is no reason for any normal software to be compiled without every fucking safety check in the goddamned book turned on. It's not expensive - it's fucking minimum due diligence.
Fucking C people.
-
Is this something that can be triggered remotely, or does it require arbitrary code execution in the first place?
-
@ben_lubar said in PSA: Lunix haz teh bugz:
Is this something that can be triggered remotely, or does it require arbitrary code execution in the first place?
They're looking for the former, have (apparently) seven code examples of the latter.
-
@tsaukpaetra said in PSA: Lunix haz teh bugz:
wouldn't it be easier to just say "any access to stack memory above X is invalid" instead of "check if this specific slice of Stark is being read"?
It would probably be slower.
If I remember correctly, the translation of process address space to physical addresses is implemented in hardware as a Memory-Management-Unit.
- The memory is organized into pages (pieces) and the MMU has a table that maps the virtual pages to physical pages.
- The physical pages are only allocated lazily when the program actually writes to them, so some of the virtual memory allocated by your program may not have a mapped physical address.
- When the program accesses a page that does not have a physical address, a page fault is triggered and only now the control is given to the OS. The OS may decide to allocate a new physical page, or kill the program if it tries to access something it should not.
So for most memory operation, a fast hardware-implemented lookup table is used, and the OS is asked only when a new page is needed. That is why it was convenient for them to to check for stack overflow using a guard page.
A stack allocation is just changing the value of the stack pointer register.
To detect the overflow, you would have to switch to kernel mode, check the stack pointer and switch back - a significant overhead given that stack allocations happen at least once per function call.But I have no idea why this leads to privilege escalation.
-
@weng said in PSA: Lunix haz teh bugz:
Oh fuck right off. It's fucking 2017, CPU is literally our least constrained resource.
No, storage is.
I work with CPU-bound code all the time. There are definitely places where something like this would make the code run noticeably slower, even on high-end 2017 hardware.
-
@masonwheeler said in PSA: Lunix haz teh bugz:
@weng said in PSA: Lunix haz teh bugz:
Oh fuck right off. It's fucking 2017, CPU is literally our least constrained resource.
No, storage is.
I work with CPU-bound code all the time. There are definitely places where something like this would make the code run noticeably slower, even on high-end 2017 hardware.
I work with disk-bound code all the time.
-
@ben_lubar Me too, but storage is essentially unlimited these days. When's the last time you filled up a hard drive with your code? Whereas I red-line CPUs on a regular basis. (And you probably do too.)
-
@masonwheeler if you're considering "disk" to be "the available hardware with no time constraints", shouldn't CPU be theoretically infinite?
-
@ben_lubar ...huh?
-
@masonwheeler you can't compare "the CPU I'm allowed to use during this finite amount of time" to "the amount of disk space I can fill in an unlimited amount of time".
-
@ben_lubar ...if you say so
-
@weng said in PSA: Lunix haz teh bugz:
It also recommends recompiling all userland code with the –fstack-check option which would prevent the stack pointer from moving into other memory regions. Qualys concedes, however, this is an expensive solution, but one that cannot be defeated unless there is an unknown vulnerability in the –fstack-check option.
Oh fuck right off. It's fucking 2017, CPU is literally our least constrained resource. There is no reason for any normal software to be compiled without every fucking safety check in the goddamned book turned on. It's not expensive - it's fucking minimum due diligence.
Fucking C people.
Rust in debug mode compiles with overflow checks on almost every single arithmetic operation. This makes the whole program 10-100x slower in every place.
-
Disk capacity isn't a performance constraining resource at all. It's binary. Either there's enough or there's not. And once you've consumed disk by producing data, you get to keep that data forever and ever and have to pay for that.
If we exceed available CPU, things take longer.
If we exceed available RAM, things take longer (if we swap - if not, memory is ALSO not a performance constraining resource barring memory-aware algorithms)
If we exceed available memory I/O, things take longer.
If we exceed available disk I/O, things take longer.
If we exceed available network I/O, things take longer.Adding CPU is far and away the easiest (followed by memory). We generally scale out by machines that each have a fixed amount of CPU and memory (and these days scaleout systems tend to be CPU heavy memory light for raisins). If you can scale out, TURN ON THE FUCKING SECURITY CHECKS.
Sure, in single machine desktop use cases, CPU constrained code is bad. But security in an endpoint scenario, we stopped hitting the CPU wall AGES ago. Gramma's fucking email and web browser isn't going to peg out the CPU. TURN ON THE FUCKING SECURITY CHECKS.
-
@weng said in PSA: Lunix haz teh bugz:
There is no reason for any normal software to be compiled without every fucking safety check in the goddamned book turned on.
TURN ON THE FUCKING SECURITY CHECKS.Not everything is running untrusted code or responding to public network requests.
In science, simulations, machine learning and similar cases, performance is very important.
There it is not worth it to spend more time / use more energy / buy hardware just to follow a cult of security.
-
@adynathos said in PSA: Lunix haz teh bugz:
@weng said in PSA: Lunix haz teh bugz:
There is no reason for any normal software to be compiled without every fucking safety check in the goddamned book turned on.
TURN ON THE FUCKING SECURITY CHECKS.Not everything is running untrusted code or responding to public network requests.
In science, simulations, machine learning and similar cases, performance is very important.
There it is not worth it to spend more time / use more energy / buy hardware just to follow a cult of security.Quote me, earlier:
There is no reason for any normal software to be compiled
That is not normal software.
-
does this mean:
“A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Root can become rooooot
-
@dse I think they mean creating a symbolic link whose name is the attack value and whose target is the sudo binary. The attack value ends up in
/proc/self/stat
and triggers the vulnerability. Creating the symlink requires permission to create files.
-
@dse said in PSA: Lunix haz teh bugz:
does this mean:
“A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Root can become rooooot
Raymond Chen has written numerous blog articles in the past about security 'vulnerabilities' reported to MS that start with legitimately gaining elevated privileges, then using them to elevate other processes and/or modify system files and settings. He calls it 'being the other side of the airtight hatchway'.
-
@dse that sounds like we need the Voice Over Guy from Honest Trailers to say "roooooooooot".
-
@dse said in PSA: Lunix haz teh bugz:
does this mean:
“A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Root can become rooooot
That's not really correct. Sudo is more secure alternative for set-uid scripts, so it allows a non-privileged user to run a limited set of commands as another user where the details depend on the configuration of the
sudoers
file. Ubuntu started allowing a certain group to run all commands as root but this is just one configuration.To go back to the vulnerability: if the user could execute a certain command but couldn't run as root before, allegedly using this vulnerability may allow them to overwrite the
sudoers
file so that they can run anything they want as root.
-
@jbert
sudo -u
orsudo bash -i
?
-
-
@dse said in PSA: Lunix haz teh bugz:
@jbert
sudo -u
orsudo bash -i
?You can configure
sudo
to immediately go "Nope!" and log such an attempt in the system logs. Again, you're likely talking about some configuration with a wildcard somewhere.
-
@masonwheeler said in PSA: Lunix haz teh bugz:
@ben_lubar Me too, but storage is essentially unlimited these days. When's the last time you filled up a hard drive with your code? Whereas I red-line CPUs on a regular basis. (And you probably do too.)
Someone turned off the per-commit build cleanup routine in Jenkins. We managed to fill up the 2 TB drive with about 30 builds before we noticed the problem.
During the start-to-finish build process, the 16-Core CPU is only maxed out during the compilation phase. Typically this means about four minutes or so, depending on whether a header was changed or not. The rest of the hour is spend in a single core, slowly saving out packages (synchronously) to the disk, and then putting them into a pak file (because we wouldn't want to do that in one step, now, would we?).
-
@dse said in PSA: Lunix haz teh bugz:
a name that contains a space, followed by a number.
Space separated parameters strike again
-
@tsaukpaetra said in PSA: Lunix haz teh bugz:
Someone turned off the per-commit build cleanup routine in Jenkins.
yeah that happens to us every week in bamboo XD
And the asshole whose build plan takes 30 minutes and who kicks off 5 builds at once wheneever his dependencies update (all branches activate) when we only have 6 agents that build his stuff. We used to have 3.
-
@yamikuronue said in PSA: Lunix haz teh bugz:
agents
Yeah, we (probably meaning I) need to figure out how to get other computers in on this agent thing.
-
@Tsaukpaetra said in PSA: Lunix haz teh bugz:
Someone turned off the per-commit build cleanup routine in Jenkins. We managed to fill up the 2 TB drive with about 30 builds before we noticed the problem.
I'm not sure we would notice. We do get build failure emails - but since about 50% of our builds fail because the network was jerked out from under the build, we simply ignore them.
-
@ben_lubar said in PSA: Lunix haz teh bugz:
@masonwheeler said in PSA: Lunix haz teh bugz:
@weng said in PSA: Lunix haz teh bugz:
Oh fuck right off. It's fucking 2017, CPU is literally our least constrained resource.
No, storage is.
I work with CPU-bound code all the time. There are definitely places where something like this would make the code run noticeably slower, even on high-end 2017 hardware.
I work with disk-bound code all the time.
I work with network-bound code all the time.
-
@wharrgarbl said in PSA: Lunix haz teh bugz:
@ben_lubar said in PSA: Lunix haz teh bugz:
@masonwheeler said in PSA: Lunix haz teh bugz:
@weng said in PSA: Lunix haz teh bugz:
Oh fuck right off. It's fucking 2017, CPU is literally our least constrained resource.
No, storage is.
I work with CPU-bound code all the time. There are definitely places where something like this would make the code run noticeably slower, even on high-end 2017 hardware.
I work with disk-bound code all the time.
I work with network-bound code all the time.
I work with mayonnaise-bound code all the time.
-
@codnghorror said in PSA: Lunix haz teh bugz:
I work with mayonnaise-bound code all the time.
Stop eating at your desk then
-
@raceprouk said in PSA: Lunix haz teh bugz:
@codnghorror said in PSA: Lunix haz teh bugz:
I work with mayonnaise-bound code all the time.
Stop eating at your desk then
I work with diorite-bound code all the time.
-
@ben_lubar said in PSA: Lunix haz teh bugz:
@raceprouk said in PSA: Lunix haz teh bugz:
@codnghorror said in PSA: Lunix haz teh bugz:
I work with mayonnaise-bound code all the time.
Stop eating at your desk then
I work with diorite-bound code all the time.
Just overclock your dwarves. That'll speed it up
-
@sloosecannon said in PSA: Lunix haz teh bugz:
@ben_lubar said in PSA: Lunix haz teh bugz:
@raceprouk said in PSA: Lunix haz teh bugz:
@codnghorror said in PSA: Lunix haz teh bugz:
I work with mayonnaise-bound code all the time.
Stop eating at your desk then
I work with diorite-bound code all the time.
Just overclock your dwarves. That'll speed it up
Do you think they can handle that kind of mod abuse though?
-
@sloosecannon said in PSA: Lunix haz teh bugz:
Just overclock your dwarves. That'll speed it up
Wouldn't that mean paying for overtime?
-
@onyx said in PSA: Lunix haz teh bugz:
Wouldn't that mean paying for overtime?
Or having them collapse under a Speed overdose
-
@dse said in PSA: Lunix haz teh bugz:
does this mean:
“A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Root can become rooooot
A local user, with sudo privileges can possibly use this to then run arbitrary code with the highest privileges.
See, Linux is just as insecure as Windows
-
@timebandit said in PSA: Lunix haz teh bugz:
@dse said in PSA: Lunix haz teh bugz:
does this mean:
“A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Root can become rooooot
A local user, with sudo privileges can possibly use this to then run arbitrary code with the highest privileges.
See, Linux is just as insecure as Windows
A local user with sudo privileges can run sudo locally!!!!!!!!!!!!
To be fair, there are tons of similar "vulnerabilities" reported in Windows.
-
@timebandit said in PSA: Lunix haz teh bugz:
@dse said in PSA: Lunix haz teh bugz:
does this mean:
“A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Root can become rooooot
A local user, with sudo privileges can possibly use this to then run arbitrary code with the highest privileges.
See, Linux is just as insecure as Windows
AIUI, this is more than just root can become root - if you've restricted what you can use
sudo
for, this vulnerability bypasses it. IE, you can turnsudo service apache2 restart
intosudo su
, which defeats the purpose of sudo...
-
@sloosecannon said in PSA: Lunix haz teh bugz:
if you've restricted what you can use sudo for
But nobody does that. Even wtfbank infosec that dedicate their lives to make ours more annoying don't do that.
-
@sloosecannon What if
sudoers
only allows you to switch to one or more other limited accounts, but not to root?
-
@wharrgarbl said in PSA: Lunix haz teh bugz:
@sloosecannon said in PSA: Lunix haz teh bugz:
if you've restricted what you can use sudo for
But nobody does that. Even wtfbank infosec that dedicate their lives to make ours more annoying don't do that.
I do that all the time. A while ago, I automated the deployment of certain intranet apps, so there's now a user who can execute
sudo service httpd restart
, but nothing else.
-
@wharrgarbl said in PSA: Lunix haz teh bugz:
@sloosecannon said in PSA: Lunix haz teh bugz:
if you've restricted what you can use sudo for
But nobody does that. Even wtfbank infosec that dedicate their lives to make ours more annoying don't do that.
We do that. I can log in as {app_user} and have sudo access only to the scripts that stop, start, restart or monitor {app}. That way I can manage {app} but I don't have credentials to do any other system-y stuff.
-
@dse said in PSA: Lunix haz teh bugz:
does this mean:
“A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Root can become rooooot
Not everyone with
sudo
access can doroot
stuff.Regular user command to do stuff they're not allowed to wrt two other users (e.g. list their respective home directories)
pjh@hpdesktop:/tmp$ ls /home/sockbot/ /root ls: cannot open directory '/home/sockbot/': Permission denied ls: cannot open directory '/root': Permission denied
Using
sudo
to be one of those other users with the exact same commandpjh@hpdesktop:/tmp$ sudo -u sockbot ls /home/sockbot/ /root /home/sockbot/: restores shadowmod.json SockBot tmp ls: cannot open directory '/root': Permission denied
Trying, but not allowed to be, root
pjh@hpdesktop:/tmp$ sudo ls /home/sockbot/ /root Sorry, user pjh is not allowed to execute '/bin/ls /home/sockbot/ /root' as root on hpdesktop. pjh@hpdesktop:/tmp$
And the config required to do that:
pjh@hpdesktop:/tmp$ grep sockbot /etc/sudoers pjh ALL=(sockbot) ALL
-
-
@yamikuronue ok, nobody other than you, @asdf and @Scarlet_Manuka does that
-
@wharrgarbl I do that too.
Maybe your wrong in thinking nobody does that.