Re: Proof is in the pudding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 17/05/13 02:32, Trevor Hemsley wrote:

On 17/05/13 01:03, Douglas Brown wrote:

Hi all,

You may have seen this vulnerability talked about
recently: http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

After a long time of evangelising about SELinux to my sceptical
colleagues, this seemed like the perfect opportunity to test it.

We tried the exploit with SELinux in permissive mode and it worked then
in enforcing and SELinux prevented it! Not that I'm surprised, but it's
nice to have a real-world exploit to demonstrate.


Unfortunately, whatever you tested was not this.

$ ls -la sem*
-rwxrwxr-x. 1 trevor trevor 10007 May 14 13:39 semtex
-rw-rw-r--. 1 trevor trevor  2488 May 14 13:39 semtex.c
$ getenforce
Enforcing
$ uname -a
Linux hostname 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC
2013 x86_64 x86_64 x86_64 GNU/Linux
$ ./semtex
2.6.37-3.x x86_64
sd@xxxxxxxxxxxxx 2010
-sh-4.1#

Sorry.

Trevor
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


Trevor,
Are you running targeted policy ? If so, the normal users are unconfined_u, that is unconfined_u:object_r:user_home_t:s0. 

If you make the user confined, you get something like this, for example:
2.6.37-3.x x86_64
sd@xxxxxxxxxxxxx 2010
-sh: /home/$USER/.profile: Permission denied
-sh-4.1# ^C
-sh-4.1# kill -9 19457
-sh: kill: (19457) - Operation not permitted
-sh-4.1# init 6
-sh: init: command not found
-sh-4.1# su
-sh: su: command not found

But as I said, you could modify the exploit to turn of selinux.
So, SElinux kind of mitigates the attack, but it is not a fix, just an obstacle.
SElinux can never really be a system to implement a 100% secure system, like many other technologies that do the same. 
The golden rule is: There is no 100% secure system.
However, I think we should all be grateful, that linux has various mitigation technologies available to it. 

Regards,
Tristan

--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux