Proof is in the pudding

Tristan Santore tristan.santore at internexusconnect.net
Fri May 17 01:39:28 UTC 2013 

On 17/05/13 02:32, Trevor Hemsley wrote:
> On 17/05/13 01:03, Douglas Brown wrote:
>> Hi all,
>>
>> You may have seen this vulnerability talked about
>> recently: http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/
>>
>> After a long time of evangelising about SELinux to my sceptical
>> colleagues, this seemed like the perfect opportunity to test it.
>>
>> We tried the exploit with SELinux in permissive mode and it worked then
>> in enforcing and SELinux prevented it! Not that I'm surprised, but it's
>> nice to have a real-world exploit to demonstrate.
>
> Unfortunately, whatever you tested was not this.
>
> $ ls -la sem*
> -rwxrwxr-x. 1 trevor trevor 10007 May 14 13:39 semtex
> -rw-rw-r--. 1 trevor trevor  2488 May 14 13:39 semtex.c
> $ getenforce
> Enforcing
> $ uname -a
> Linux hostname 2.6.32-358.6.1.el6.x86_64 #1 SMP Tue Apr 23 19:29:00 UTC
> 2013 x86_64 x86_64 x86_64 GNU/Linux
> $ ./semtex
> 2.6.37-3.x x86_64
> sd at fucksheep.org 2010
> -sh-4.1#
>
> Sorry.
>
> Trevor
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Trevor,
Are you running targeted policy ? If so, the normal users are 
unconfined_u, that is unconfined_u:object_r:user_home_t:s0.

If you make the user confined, you get something like this, for example:
2.6.37-3.x x86_64
sd at fucksheep.org 2010
-sh: /home/$USER/.profile: Permission denied
-sh-4.1# ^C
-sh-4.1# kill -9 19457
-sh: kill: (19457) - Operation not permitted
-sh-4.1# init 6
-sh: init: command not found
-sh-4.1# su
-sh: su: command not found

But as I said, you could modify the exploit to turn of selinux.

So, SElinux kind of mitigates the attack, but it is not a fix, just an 
obstacle.

SElinux can never really be a system to implement a 100% secure system, 
like many other technologies that do the same.
The golden rule is: There is no 100% secure system.

However, I think we should all be grateful, that linux has various 
mitigation technologies available to it.

Regards,
Tristan

-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org

More information about the selinux mailing list