Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <36b82e6f-869b-57c5-366f-f47686dc53bb@orlitzky.com>
Date: Mon, 26 Dec 2016 14:51:27 -0500
From: Michael Orlitzky <michael@...itzky.com>
To: oss-security@...ts.openwall.com
Subject: Incomplete fix for CVE-2016-8641 (Nagios local root via (sym)links)

I don't know what I'm doing, and could use some advice.

CVE-2016-8641 relates to a symlink attack in the Nagios init script. If
he wishes, the "nagios" user can replace a specific file with a symlink,
and then the init script will chown the target of that symlink to the
"nagios" user the next time it is run.

A fix for this was released:

https://github.com/NagiosEnterprises/nagioscore/commit/f2ed227673d3b2da643eb5cad26b2d87674f28c1

Largely it consists of passing "-h" to chown, preventing chown from
following symlinks. And yet symlinks are not the only kind of link.
Chown will follow the other kind, too, meaning that the fix in that
commit is insufficient. I'm able to pull off the same sort of attack.

I sent a note to the Nagios maintainer a few minutes ago, but I don't
know what the best course of action is regarding the CVE. Start a new
one? Amend the existing one? Pretend it never happened because it's
Christmas?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.