1 |
Why are the bit root-suid applications a risk in the point of view of security? |
2 |
The X server is a root-setuid binary that can't be assured from the |
3 |
point of view of posix capabilities for example, the reason is clear |
4 |
one process that has only CAP_SYS_RAWIO capability could make raw |
5 |
writing in /dev/mem!!!. Before the filesystem capabilities one process |
6 |
with only CAP_SYS_RAWIO and the others restricted could add all |
7 |
others capabilities missing by simply searching the cap_bset in their |
8 |
system.map and writting 0xFFFFFEFF in it through /dev/mem. With this |
9 |
hack he has CAP_SYS_SUID CAP_SYS_SGID, CAP_DAC_OVERRIDE etc..., now |
10 |
with the filesystem capabilities probably you could do the same by |
11 |
writting in the task_struct of the process. Xorg is worst than a |
12 |
normal setuid program, ping for example could be assured granting only |
13 |
CAP_NET_RAW, with this privilege ping can't own the rest of the |
14 |
system. Xorg can't be assured, it needs CAP_SYS_RAWIO and |
15 |
CAP_DAC_OVERRIDE between others, enough to write /dev/mem). |
16 |
|
17 |
Xorg adds one level of complexity unaceptable from a security view |
18 |
point, it's something like sendmail, how could you make sendmail more |
19 |
secure?, rewritting it from 0!!!! Xorg was not designed to be secure, |
20 |
only to networking. Patches has been added (as xace extensions) to |
21 |
make it a bit more secure, but it stills insecure (if you dress a |
22 |
monkey to be saw as a human, it stills being monkey!!). Xorg mmaps |
23 |
video memory through /dev/mem and I think that the way it does it is |
24 |
which make it incompatible with PaX mprotect restrictions (pax author |
25 |
could tell you more), so is a problem of Xorg, not PaX does simply |
26 |
does his job kill Xorg. |
27 |
|
28 |
Complexity and security are enemies, and if complexity is added to a |
29 |
bad design then switch off. |
30 |
|
31 |
In my opinion having 3 or 300 holes is irrelevant from a security view |
32 |
point, with only one is enough!. Any programmer with a bit of known of |
33 |
assembly could make exploits, and as phrack made in one of his |
34 |
articles, one great programmer with deep knowledge of memory |
35 |
management and PaX could even defeat it. |
36 |
|
37 |
|
38 |
2008/11/25 Jan Klod <janklodvan@×××××.com>: |
39 |
> On Tuesday 25 November 2008 19:58:42 RB wrote: |
40 |
>> KDE (and to a lesser extent X) pretty much nullifies most application |
41 |
>> isolation efforts you're going to make. |
42 |
> |
43 |
> Actually, that sound like there is practically no way to keep networked |
44 |
> workstation really secure. Sure, is not trivial to gain root access through |
45 |
> software bugs (interesting, how many list member would be able to do it?), |
46 |
> but no one running X can claim, he has absolutely secure system, which can't |
47 |
> fail him regardless to who is the hacker. |
48 |
> Furthermore, the system is said to be only as secure as the weakest part, so |
49 |
> making hardened server will only slow down attacks and, at most, ensure |
50 |
> server stability. Still, if there is someone ready to attack servers end |
51 |
> clients (which ones will almost always have X running), the way can be open. |
52 |
> |
53 |
> Can someone explain how would it happen, the exploitation of buffer overflow |
54 |
> in X? How would attacker gain access to X bug most importantly? What are |
55 |
> those ways for other apps? Always different? |
56 |
> And have there been any efforts to make PaX enabled X? |
57 |
> |
58 |
> Personally, I think, the best way would be using firewall to allow only the |
59 |
> most necessary addresses, which point to trusted services (mail,sftp,...). |
60 |
> That said, web browsing is cut off. |
61 |
> |
62 |
> As a conclusion of what I have read this far I can state: hardened OS is |
63 |
> useless for non-server. Would that be too much? Well, I think, in a "black |
64 |
> and white" no. (later is a discussion of what is better: to have 3 holes or |
65 |
> 300) |
66 |
> |
67 |
> Comments? |
68 |
> |
69 |
> |