I believe that selinux saved me from a certain attack

Edward Kuns ekuns at kilroy.chi.il.us
Thu Dec 11 17:23:22 UTC 2008


Almost a week ago, some AVCs brought to my attention by setroubleshoot
made me look into system logs.  There were three complaints of:

SELinux is preventing the sh from using potentially mislabeled files
(./x).

Source Context:  system_u:system_r:httpd_t:s0
Target Context:  system_u:object_r:httpd_tmp_t:s0
Target Objects:  ./x [ file ]
First Seen:  Fri 05 Dec 2008 04:32:12 AM CST
Last Seen:  Fri 05 Dec 2008 04:32:12 AM CST

and twenty complaints of:

SELinux is preventing the http daemon from connecting to the itself or
the relay ports

Source Context:  system_u:system_r:httpd_t:s0
Target Context:  system_u:object_r:http_cache_port_t:s0
Target Objects:  None [ tcp_socket ]
Source:  wget
Source Path:  /usr/bin/wget
Port:  8080
First Seen:  Fri 05 Dec 2008 04:32:09 AM CST
Last Seen:  Fri 05 Dec 2008 04:34:34 AM CST

This lead me to look in my http access logs, where I found:

74.247.251.227 - - [05/Dec/2008:04:32:11 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1348 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1338 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1340 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:08 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1426 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"

Looking in the http error log, I see prodigious complaints at the same
time, but also for my later wordtrans use (so I had something to compare
against).  It looks like wordtrans-web tries to create a .kde directory,
among other things.  The only significant difference between the error
logs of my access and the attack is that during the attack I see one
instance of

sh: /var/tmp/x: Permission denied
sh: line 0: exec: /var/tmp/x: cannot execute: Permission denied

among the rest of the errors generated by wordtrans.  (I didn't see
a /var/tmp/x, but I didn't look until somewhat later.)

I did my own wordtrans access and there was not just the POST but a
bunch of GETs before that to load the web page.  This difference made it
clear that wordtrans was the attack vector so I googled for "http attack
wordtrans" and found that the version of wordtrans I have installed is
successfully attackable:

http://www.juniper.net/security/auto/vulnerabilities/vuln30027.html

If not for selinux, this attack certainly would have been successful and
unnoticed.  While selinux stopped this attack, I still did an "rpm -e
wordtrans-web" as it was only installed as a cool toy, not anything I
need.

The full AVCs are listed below, from the attack, in case this is of
interest.

I thought I would share this in case it was useful or interesting.
Thank you for your work on improved security!

           Eddie


type=AVC msg=audit(1228473129.823:148293): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473129.823:148293): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473130.824:148294): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473130.824:148294): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148295): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148295): arch=40000003 syscall=11
success=no exit=-13 a0=853a2a0 a1=853a280 a2=8538b10 a3=853a280 items=0
ppid=31641 pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148296): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148296): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148297): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148297): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.824:148298): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473132.824:148298): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473135.824:148299): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473135.824:148299): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473139.824:148300): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473139.824:148300): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473144.825:148301): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473144.825:148301): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473150.825:148302): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473150.825:148302): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473157.825:148303): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473157.825:148303): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473165.825:148304): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473165.825:148304): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473174.825:148305): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473174.825:148305): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473184.825:148306): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473184.825:148306): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473194.825:148307): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473194.825:148307): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473204.826:148308): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473204.826:148308): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473214.826:148309): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473214.826:148309): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473221.544:148310): avc:  denied  { read write }
for  pid=31674 comm="mailman" path="socket:[69554624]" dev=sockfs
ino=69554624 scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1228473221.544:148310): arch=40000003 syscall=11
success=yes exit=0 a0=8715e78 a1=8715f48 a2=87154f8 a3=40 items=0
ppid=31673 pid=31674 auid=4294967295 uid=8 gid=12 euid=8 suid=8 fsuid=8
egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295 comm="mailman"
exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)

type=AVC msg=audit(1228473224.826:148311): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473224.826:148311): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473234.826:148312): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473234.826:148312): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473244.826:148313): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473244.826:148313): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473254.826:148314): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473254.826:148314): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473264.826:148315): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473264.826:148315): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473274.826:148316): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473274.826:148316): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)




More information about the selinux mailing list