Thursday, June 23, 2016

Lets feed attacker input to "sh -c", to see what he's doing

This week I published a PoC for CVE-2016-4989 , which is
yet another local root exploit for setroubleshoot, working
out of the box on CentOS/RHEL 6.6, 6.7, 6.8, 7.0 and 7.1.

The underlying vulnerability and exploitation strategy
is very similar to CVE-2015-1815. So the writeup inside
the git almost entirely applies, except that the PoC
may be executed via remote shells (ssh) and that it is
using a helper binary in order to get a SELinux domain
confinement for an unconfined user, triggering the bug
inside setroubleshoot. To my knowledge this is a novel
approach. Its also new that straight-shooter may be
used as a Docker breakout, if run inside a container,
which has running setroubleshoot running on the host.

Out of personal interest: If you like exploits - either
professional, or as a hobby - and demand for
freedom of speech or freedom of expression, try your best
to lobby against the Wassenaar regulation of exploits. The
Wassenaar regulation of exploits is just a vehicle (sold to
you as a privacy win) to cover backdoors and criminalize
bug finding. Any serious exploit coder and researcher I know
is arguing against Wassenaar, and so should you.