1 |
On Wed, Jan 31, 2018 at 4:16 AM, Nikos Chantziaras <realnc@×××××.com> wrote: |
2 |
> On 30/01/18 23:43, Rich Freeman wrote: |
3 |
>> |
4 |
>> If you had some program that listened on a socket and accepted a |
5 |
>> length and a string and then did a bounds check using the length, it |
6 |
>> might be exploitable if a local process could feed it data. Even if |
7 |
>> the process only listened for outside connections it might be |
8 |
>> vulnerable if a local process colluded with a remote host to make that |
9 |
>> connection. |
10 |
> |
11 |
> |
12 |
> Well, if you're running a local process that is trying to attack you, you've |
13 |
> been compromised already, imo. |
14 |
> |
15 |
> Local processes are always trusted. |
16 |
|
17 |
Not at all. This is the whole point of uids on linux and any POSIX |
18 |
OS. There is separation of privilege. |
19 |
|
20 |
I should be able to give you ssh access to my database server using a |
21 |
UID different from my database server, and it should be impossible for |
22 |
you to damage my database (particularly if I am using resource |
23 |
limits/etc). |
24 |
|
25 |
Spectre allows local processes to probe the cache to obtain data |
26 |
leaked from other processes running under different UIDs (or even the |
27 |
kernel) which they should not have access to. |
28 |
|
29 |
If MariaDB has vulnerable code listening on its socket, and you can |
30 |
talk to that socket, and run code under a different UID, then you |
31 |
could in theory read arbitrary data from MariaDB's memory. That could |
32 |
include tables you don't otherwise have privileges to read, or |
33 |
possibly even credentials stored in memory that could allow you to |
34 |
connect to the server and execute arbitrary queries. |
35 |
|
36 |
Also, all this is requires is code running on the same CPU. It could |
37 |
be in a different VM, or a different container. |
38 |
|
39 |
However, I wouldn't completely neglect local priv escalation attacks. |
40 |
Sure, every sysadmin would prefer to not have code running on their |
41 |
server that they didn't put there, but there is still such a thing as |
42 |
defense in depth. There is a reason we don't run all our daemons as |
43 |
root. If your server's ntp client somehow has a vulnerability and now |
44 |
there is malicious code running under the ntp UID, it would still be |
45 |
preferable that this code STAY contained in the ntp UID vs having |
46 |
access to more mission-critical processes on the server. Sure, you |
47 |
will still want to wipe the server and install a clean one, but it |
48 |
would be nice if you could do that after migrating your production |
49 |
database/website/whatever to another server, versus having to revert |
50 |
to the last backup. |
51 |
|
52 |
-- |
53 |
Rich |