Re: static USERMODEHELPER_PATH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/1/23 09:17, Steve Grubb wrote:

Hello,

I work on RHEL security problems. I have been looking into a number of
exploits and I think we have a problem that has an easy fix. We are not using
the CONFIG_STATIC_USERMODEHELPER_PATH kernel config option. There are a number
of exploits that overwrite the path to modprobe and then pass something weird
that causes modprobe to be invoked. But instead of modprobe, it's their
reverse shell.

If we make the assigment CONFIG_STATIC_USERMODEHELPER_PATH="/usr/" and we
change /proc/sys/kernel/modprobe to sbin/modprobe and /proc/sys/kernel/
core_pattern to lib/systemd/systemd-coredump %P %u %g %s %t %c %h, then it
limits any exploits to programs that are in /usr. Only root can write here,
therefore no escalation. Typically, an exploit changes modprobe path to /tmp/
foo which is shorter than /usr/sbin/modprobe and an area the attacker can
control.

For this mitigation, we'd need to:

1) set the config option in the kernel build
2) update /proc/sys/kernel/modprobe however it's set (CONFIG_MODPROBE_PATH)
3) update /proc/sys/kernel/core_pattern however it's set

If we fix the modprobe path issue, there are a couple other areas that call
usermode helper such as handle_initrd, fork_usermode_driver,
CONFIG_UEVENT_HELPER, and sbin/request-key which would need some touch ups.

The benefit is a lot of privilege escalation attacks are taken away.

Does this sound worthwhile? Would people support this? Does this need to be
filed as a system wide change? Who could help make this happen if approved?


It sounds worth while to me, ;)


I'd be up for helping with it.

As much as I hate working in the proc file system I can try

and work out what needs to be done for the proc file system

bits.


Ian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux