| 1 |
Why are the bit root-suid applications a risk in the point of view of security? |
| 2 |
The X server is a root-setuid binary that can't be assured from the |
| 3 |
point of view of posix capabilities for example, the reason is clear |
| 4 |
one process that has only CAP_SYS_RAWIO capability could make raw |
| 5 |
writing in /dev/mem!!!. Before the filesystem capabilities one process |
| 6 |
with only CAP_SYS_RAWIO and the others restricted could add all |
| 7 |
others capabilities missing by simply searching the cap_bset in their |
| 8 |
system.map and writting 0xFFFFFEFF in it through /dev/mem. With this |
| 9 |
hack he has CAP_SYS_SUID CAP_SYS_SGID, CAP_DAC_OVERRIDE etc..., now |
| 10 |
with the filesystem capabilities probably you could do the same by |
| 11 |
writting in the task_struct of the process. Xorg is worst than a |
| 12 |
normal setuid program, ping for example could be assured granting only |
| 13 |
CAP_NET_RAW, with this privilege ping can't own the rest of the |
| 14 |
system. Xorg can't be assured, it needs CAP_SYS_RAWIO and |
| 15 |
CAP_DAC_OVERRIDE between others, enough to write /dev/mem). |
| 16 |
|
| 17 |
Xorg adds one level of complexity unaceptable from a security view |
| 18 |
point, it's something like sendmail, how could you make sendmail more |
| 19 |
secure?, rewritting it from 0!!!! Xorg was not designed to be secure, |
| 20 |
only to networking. Patches has been added (as xace extensions) to |
| 21 |
make it a bit more secure, but it stills insecure (if you dress a |
| 22 |
monkey to be saw as a human, it stills being monkey!!). Xorg mmaps |
| 23 |
video memory through /dev/mem and I think that the way it does it is |
| 24 |
which make it incompatible with PaX mprotect restrictions (pax author |
| 25 |
could tell you more), so is a problem of Xorg, not PaX does simply |
| 26 |
does his job kill Xorg. |
| 27 |
|
| 28 |
Complexity and security are enemies, and if complexity is added to a |
| 29 |
bad design then switch off. |
| 30 |
|
| 31 |
In my opinion having 3 or 300 holes is irrelevant from a security view |
| 32 |
point, with only one is enough!. Any programmer with a bit of known of |
| 33 |
assembly could make exploits, and as phrack made in one of his |
| 34 |
articles, one great programmer with deep knowledge of memory |
| 35 |
management and PaX could even defeat it. |
| 36 |
|
| 37 |
|
| 38 |
2008/11/25 Jan Klod <janklodvan@×××××.com>: |
| 39 |
> On Tuesday 25 November 2008 19:58:42 RB wrote: |
| 40 |
>> KDE (and to a lesser extent X) pretty much nullifies most application |
| 41 |
>> isolation efforts you're going to make. |
| 42 |
> |
| 43 |
> Actually, that sound like there is practically no way to keep networked |
| 44 |
> workstation really secure. Sure, is not trivial to gain root access through |
| 45 |
> software bugs (interesting, how many list member would be able to do it?), |
| 46 |
> but no one running X can claim, he has absolutely secure system, which can't |
| 47 |
> fail him regardless to who is the hacker. |
| 48 |
> Furthermore, the system is said to be only as secure as the weakest part, so |
| 49 |
> making hardened server will only slow down attacks and, at most, ensure |
| 50 |
> server stability. Still, if there is someone ready to attack servers end |
| 51 |
> clients (which ones will almost always have X running), the way can be open. |
| 52 |
> |
| 53 |
> Can someone explain how would it happen, the exploitation of buffer overflow |
| 54 |
> in X? How would attacker gain access to X bug most importantly? What are |
| 55 |
> those ways for other apps? Always different? |
| 56 |
> And have there been any efforts to make PaX enabled X? |
| 57 |
> |
| 58 |
> Personally, I think, the best way would be using firewall to allow only the |
| 59 |
> most necessary addresses, which point to trusted services (mail,sftp,...). |
| 60 |
> That said, web browsing is cut off. |
| 61 |
> |
| 62 |
> As a conclusion of what I have read this far I can state: hardened OS is |
| 63 |
> useless for non-server. Would that be too much? Well, I think, in a "black |
| 64 |
> and white" no. (later is a discussion of what is better: to have 3 holes or |
| 65 |
> 300) |
| 66 |
> |
| 67 |
> Comments? |
| 68 |
> |
| 69 |
> |
Archives