![]() #BUGZILLA LDAP UPDATE#SUSE-SU-2020:1859-1: An update that solves one vulnerability and has two fixes is now available. Would that also potentially be an issue? Shouldn't the nss compat/files module refuse to use a hash from /etc/passwd, and it should refuse to work if the permissions aren't root:root? That seems like an extra "defence in depth" that would be valuable to have (consider say nf which refuses to start if it's not root:root 600, which would actually mitigate this attack pattern).Īnyway, I'm still going to fix the chown, thanks for your time. Thanks for explaining! I was under the impression that passwd was never able to store hashes, and that it was permission checked to be root:root. ![]() > uid=0(newroot) gid=0(root) groups=0(root) > context=unconfined_u:unconfined_r:unconfined_t:s0 Uid=0(newroot) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0 Sh-5.0$ echo 'newroot:$1$ggDt1EGc$SpOckvmrIQOqiO2Cyvux0/:0:0:root:/root:/bin/zsh' > /etc/passwd Uid=76(ldap) gid=70(ldap) groups=70(ldap) context=unconfined_u:unconfined_r:unconfined_t:s0 > I'm thinking about this more, are you sure this is a priv esc? yes, there are many ways to leverage this to gain root > I still think the chown on startup is a bit poor, so I agree it should be fixed, but I'd really like to see some more detail about how this is a priv esc thank you :) > I think this won't affect nf directory chown, because it's root:ldap and ldap is group readonly, but it's probably worth removing chown_database_dirs() as well. Having these chown calls is always unpleasant from a security POV > So to be clear, the "fix" from your perspective is to remove the call to chown_database_dirs_bconfig()? Shouldn't be able to gain root (unless of course this is specified by the admin). That's not really part of the question here. > When *root* has modified this to use "OPENLDAP_CONFIG_BACKEND", this means that the slapd daemon (which runs as ldap, an isolated service account it appears), if a user was able to become ldap (how?) For example by exploiting the slapd daemon. > -rw-r-r- 1 root root 4612 Jun 10 01:03 /etc/sysconfig/openldap > Is this correct to your understanding of the issue? Are there any I have missed? I think this won't affect nf directory chown, because it's root:ldap and ldap is group readonly, but it's probably worth removing chown_database_dirs() as well. So to be clear, the "fix" from your perspective is to remove the call to chown_database_dirs_bconfig()? When *root* has modified this to use "OPENLDAP_CONFIG_BACKEND", this means that the slapd daemon (which runs as ldap, an isolated service account it appears), if a user was able to become ldap (how?) OR the openldap directory manager (equivalent to root but in ldap) is able to change olcdbdirectory to another value, then on restart of the openldap instance the start script call to "chown_database_dirs_bconfig", a chown -R is called on the location, which can change the permissions of other files such as /etc/shadow or /etc/passwd. rw-r-r- 1 root root 4612 Jun 10 01:03 /etc/sysconfig/openldap ![]() I want to confirm what is the vulnerability here because it's not clear from your POC. Is this correct to your understanding of the issue? Are there any I have missed? UserPassword:: e2EKyeXB0fUJklnoEtzZDJoWDd4cXc= ![]() I'm trying to confiugre bugzilla to authenticate with ldap credentials but not successful so far. ![]() I've bugzilla and ldap running on different ubuntu servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |