| 1 |
On Wed, Jan 31, 2018 at 4:16 AM, Nikos Chantziaras <realnc@×××××.com> wrote: |
| 2 |
> On 30/01/18 23:43, Rich Freeman wrote: |
| 3 |
>> |
| 4 |
>> If you had some program that listened on a socket and accepted a |
| 5 |
>> length and a string and then did a bounds check using the length, it |
| 6 |
>> might be exploitable if a local process could feed it data. Even if |
| 7 |
>> the process only listened for outside connections it might be |
| 8 |
>> vulnerable if a local process colluded with a remote host to make that |
| 9 |
>> connection. |
| 10 |
> |
| 11 |
> |
| 12 |
> Well, if you're running a local process that is trying to attack you, you've |
| 13 |
> been compromised already, imo. |
| 14 |
> |
| 15 |
> Local processes are always trusted. |
| 16 |
|
| 17 |
Not at all. This is the whole point of uids on linux and any POSIX |
| 18 |
OS. There is separation of privilege. |
| 19 |
|
| 20 |
I should be able to give you ssh access to my database server using a |
| 21 |
UID different from my database server, and it should be impossible for |
| 22 |
you to damage my database (particularly if I am using resource |
| 23 |
limits/etc). |
| 24 |
|
| 25 |
Spectre allows local processes to probe the cache to obtain data |
| 26 |
leaked from other processes running under different UIDs (or even the |
| 27 |
kernel) which they should not have access to. |
| 28 |
|
| 29 |
If MariaDB has vulnerable code listening on its socket, and you can |
| 30 |
talk to that socket, and run code under a different UID, then you |
| 31 |
could in theory read arbitrary data from MariaDB's memory. That could |
| 32 |
include tables you don't otherwise have privileges to read, or |
| 33 |
possibly even credentials stored in memory that could allow you to |
| 34 |
connect to the server and execute arbitrary queries. |
| 35 |
|
| 36 |
Also, all this is requires is code running on the same CPU. It could |
| 37 |
be in a different VM, or a different container. |
| 38 |
|
| 39 |
However, I wouldn't completely neglect local priv escalation attacks. |
| 40 |
Sure, every sysadmin would prefer to not have code running on their |
| 41 |
server that they didn't put there, but there is still such a thing as |
| 42 |
defense in depth. There is a reason we don't run all our daemons as |
| 43 |
root. If your server's ntp client somehow has a vulnerability and now |
| 44 |
there is malicious code running under the ntp UID, it would still be |
| 45 |
preferable that this code STAY contained in the ntp UID vs having |
| 46 |
access to more mission-critical processes on the server. Sure, you |
| 47 |
will still want to wipe the server and install a clean one, but it |
| 48 |
would be nice if you could do that after migrating your production |
| 49 |
database/website/whatever to another server, versus having to revert |
| 50 |
to the last backup. |
| 51 |
|
| 52 |
-- |
| 53 |
Rich |
Archives