skip to main |
skip to sidebar
During this years hackweek, I implemented a
OpenSSL PrivSep. It's far from complete, but it features most
of the SSL functions you need to run a SSL server
or client. It also features the seccomp sandbox,
so all the dirty SSL handshake and protocol/parsing is done
in a confined process.
I used my research webserver project, lophttpd to
demonstrate on how it works.
Basically you just include two header files,
provide a callback named privsep_init() and tell
the PrivSeped process, which is started at the
time you call any of the OpenSSL init functions,
when to actually drop the privileges with
SSL_privsep_ctrl(PRIVSEP_DROP_PRIV). And thats it.
You can copy the *.c and *.h files from the sslps
git repo to the lophttpd dir and make -f Makefile.sslps
Do not mind the warnings about the redefinitions
of certain OpenSSL macros, they need to be replaced
in order to proxy all the SSL_ functions to the
confined process.
Fear my drawing skills and have a look at the whole picture
so its easier to understand :)
We miss you Kurt, your music is an endless source of
power for creating the 90's exploits.
YEAAAAAAAAAAAAAA\x41\x41\x41\x41\x41\x41\x41YYYYYYY! (at 2:22 !!)
Recent kernels (3.8+ something) introduced a feature called
user-namespaces (user-ns, CLONE_NEWUSER flag)
in which you can have your own UID 0.
Think of it as a container solution, so you can
set up compartments on a host. A nice thing,
but it has some security implications. In particular
if you mix this feature with CLONE_FS, which means
that the file-system state is shared between the
containers (e.g. processes). You suddenly get this:
The problem here is that parent and child share the
FS info (the chroot in this case), but only the child
has got its own user-ns. Since it has the
capability to do the chroot() in its own user-ns,
it will succeed doing the chroot() syscall but due to
CLONE_FS, it will also affect the parent.
Parent however stays in the init user-ns (the user-ns
that is default upon boot and the namespace where you
want to have root).
Getting a rootshell from inside a user controlled chroot
with help from outside processes is straight forward.
The xSports can be found here.
Update:
A CVE has been assigned (CVE-2013-1858) and a patch was made.
Although the c10k problem is not really a problem in
Computer Science anymore, I successfully solved the
c25k problem (and I am not talking about exploit prices)
for myself.
lophttpd can handle even more connections on a commodity PC,
single core, without connection drops. If your network equipment
is just good enough (GBit patch cable!:)
I added a new -s switch that lets you experiment with different
scheduling strategies if the TCP send buffers start to fill.
Nevertheless, as poll() will not report a POLLOUT revent
if the TCP send buffer is full, the none stragegy should just be fine.
Other strategies are minimize (reduce chunksize to minimum)
or suspend (temporarily remove client from POLLOUT list, if
TCP send buffer has data from last send). In particular the
suspend strategy may be of interest, as it reduces the
amount of poll events that the kernel needs to check for.
However, I could not measure any real benefit. Probably one
reason more to say that c10k is not a problem anymore since
quite a lot of time.
Interestingly: lophttpd, if under load, can even utilize
more than 100% CPU:
I added 404-caching to lophttpd, in the hope that
it will result in overall speedup if a lot of clients
try to fetch non-existing files (favicon.ico etc.)
The key for the cache is the first line that is sent,
so once we see this request again, we dont need to parse the
entire header, decode the pathname and stat() it before we send
the error reply. Good, eh?
Anyone can give your finger by spoofing DBUS signals
to pam_fprintd, effectively bypassing fprintd authentication.
Tested with fprintd 0.41.
darklena is the PoC and the authors have been informed.
Its probably about time to check dbus-glib usage or usage
of DBUS signals in privileged code in general.
[Update:] successfully tested on a vanilla FC16 setup with
fprintd installed from repository and SELinux target config
left as-is:
I pushed my experimental grep version to github.
It features only small amount of options, but it speeds
out grep's on large directory trees, in particular if
you have a fast HDD or SSD, where you can be as
twice as fast.
I moved the dzug.c from the null directory to xSports,
where it actually belongs to.
What is a D-Zug? Besides being an exploit for CVE-2012-3524,
a D-Zug (german: Durchgangs-Zug) was a fast kind of train
in the 70's and 80's. Nowadays its obsoleted by high speed
trains like ICE (similar to TGV in France).
dzug.c, also kind of a 80's style of living, integrates a lot of
attack vectors to proof CVE-2012-3524 exploitable.
There exist a lot of flavors of dzug.c, so
if this PoC version is not working for you, it means
indeed nothing. Its also not bound to Linux. Theoretically any
UNIX running DBUS is at risk.
I just compiled lophttpd 0.98 for Android
(without SSL support). Available here.
Nice, isn't it?
After better separating the client state machines
inside lophttpd yesterday, by encapsulating the
send and recv functions, it was easy to add HTTPS
support into lophttpd today (TLSv1 actually).
Everything works as normal, single threaded and non-blocking.
You will of course lose some performance compared to
plain sockets (as with any crypto) and also the sendfile() needs to be
emulated, but it should still give good performance.
Posts
