Security Leftovers
-
GNU ☛ GNU Guix: Build User Takeover Vulnerability
A security issue has been identified in which allows for a local user to gain the privileges of any of the build users and subsequently use this to manipulate the output of any build. Your are strongly advised to upgrade your daemon now (see instructions below), especially on multi-user systems.
This exploit requires the ability to start a derivation build and the ability to run arbitrary code with access to the store in the root PID namespace on the machine the build occurs on. As such, this represents an increased risk primarily to multi-user systems and systems using dedicated privilege-separation users for various daemons: without special sandboxing measures, any process of theirs can take advantage of this vulnerability.
Vulnerability
For a very long time,
guix-daemonhas helpfully made the outputs of failed derivation builds available at the same location they were at in the build container. This has aided greatly especially in situations where test suites require the package to already be installed in order to run, as it allows one to re-run the test suite interactively outside of the container when built with--keep-failed. This transferral of store items from inside the chroot to the real store was implemented with a simplerename, and no modification of the store item or any files it may contain.If an attacker starts a build of a derivation that creates a binary with the setuid and/or setgid bit in an output directory, then, and the build fails, that binary will be accessible unaltered for anybody on the system. The attacker or a cooperating user can then execute the binary, gain the privileges, and from there use a combination of signals and procfs to freeze a builder, open any file it has open via
/proc/$PID/fd, and overwrite it with whatever it wants. This manipulation of builds can happen regardless of which user started the build, so it can work not only for producing compromised outputs for commonly-used programs before anybody else uses them, but also for compromising any builds another user happens to start. -
Medevel ☛ 22 Open-source Free Android Security and Pentesting Tools for Dynamic and Static APK Analysis - APK Testing: The Frontline of Android Security
APK Testing: The Frontline of Android Security
-
Federal News Network ☛ Effectiveness of cybersecurity penetration testing depends on what you penetrate
"We get to do all kinds of really interesting, often nefarious things. Our job is to think like the bad guys do, and to try and break in," said Rob Olson.
-
Josef Strzibny: A closer look at Rails force_ssl and assume_ssl
Rails comes with a built-in support for SSL in form of
config.force_ssl. But what does it exactly do?SSL middleware
The
force_ssldirective adds theActionDispatch::SSLmiddleware layer which is a Rack middleware for HTTPS requests: [...] -
SANS ☛ A Network Nerd's Take on Emergency Preparedness, (Tue, Oct 15th)
Over the last month, two hurricanes barely missed me. Luckily, neither caused me any significant inconvenience. Sadly, others were not as lucky, and I think this is a good time to do a little "Lessons Learned" exercise.
-
NVISO Labs ☛ Hunting for Remote Management Tools: Detecting RMMs
In our previous blog post about RMM (Remote Management and Monitoring) tools, we highlighted the prevalence of such tooling in nearly every organization’s environment.