oss-sec: Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly

oss-sec mailing list archives

Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly

From: Steve Grubb <sgrubb () redhat com>
Date: Thu, 24 Jan 2013 22:10:52 -0500

On Thursday, January 24, 2013 05:53:38 PM Kurt Seifried wrote:

So again, if you know of a way to exploit this please let us know,
otherwise we will continue to consider this a security hardening issue
and not a security vulnerability.


The way these supplemental group issues work is that depending on the groups 
file, the daemon may try to change to user/group "nobody", but retains group 
root. This means that any file with group root write privs could be 
replaced/altered. My experience is that distros have enough files that 
permissions are wrong on something, somewhere. Its just a matter of finding it.

find / -type f -perm -00020 -printf "%-60p %g\t%M\n" 2>/dev/null

So, it boils down to the problem isn't a vulnerability by itself. However, 
should a _real_ vulnerability be found in the program, the CVSS score would be 
higher because the program has CWE-250.

-Steve

By Date By Thread

Current thread:

[Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Jan Lieskovsky (Jan 23)
- Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Kurt Seifried (Jan 25)
  - Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Steve Grubb (Jan 25)
    - Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Willy Tarreau (Jan 29)