Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly
From: Steve Grubb <sgrubb () redhat com>
Date: Thu, 24 Jan 2013 22:10:52 -0500

On Thursday, January 24, 2013 05:53:38 PM Kurt Seifried wrote:
So again, if you know of a way to exploit this please let us know,
otherwise we will continue to consider this a security hardening issue
and not a security vulnerability.

The way these supplemental group issues work is that depending on the groups 
file, the daemon may try to change to user/group "nobody", but retains group 
root. This means that any file with group root write privs could be 
replaced/altered. My experience is that distros have enough files that 
permissions are wrong on something, somewhere. Its just a matter of finding it.

find / -type f -perm -00020 -printf "%-60p %g\t%M\n" 2>/dev/null

So, it boils down to the problem isn't a vulnerability by itself. However, 
should a _real_ vulnerability be found in the program, the CVSS score would be 
higher because the program has CWE-250.

-Steve


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault