4:30 p.m.
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix linked list correctness in ausearch/report
- Add more cross compile fixups (Clayton Shotwell)
- Update auparse python bindings
- Update libev to 4.20
- Fix CVE-2015-5186 Audit: log terminal emulator escape sequences handling
The main thing to discuss in this release is the CVE. The issue is that the
audit logs handle untrusted data. We know that and hex encode anything that
has control characters. Turns out that running ausearch or report with the -i
argument simply decoded the control characters. To see what I mean, consider
the following log entry:
type=PATH msg=audit(1438371086.399:1711): item=1
name=1B5B346D756E6465726C696E6564 inode=14495887363 dev=09:7e mode=0100640
ouid=4325 ogid=4325 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
nametype=NORMAL
type=CWD msg=audit(1438371086.399:1711): cwd="/home/sgrubb/test/underlined"
type=SYSCALL msg=audit(1438371086.399:1711): arch=c000003e syscall=2
success=yes exit=3 a0=7fff24f2a6f0 a1=42 a2=1a0 a3=691 items=2 ppid=18629
pid=19011 auid=4325 uid=4325 gid=4325 euid=4325 suid=4325 fsuid=4325 egid=4325
sgid=4325 fsgid=4325 tty=pts4 ses=1 comm="test"
exe="/home/sgrubb/test/underlined/test"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="underlined"
If you ausearch -i on that file, your screen will get underlines with all the
text. An attacker could change this to be worse than just underlining your
text. They could try to write to the window title and then bounce that back in
black on black text to the command prompt hoping the admin will press enter.
I did a survey recently and all emulators I could find on Fedora 22 do not
honor the window title fetching command. There was a discussion about it on
oss-security list as preparation for this announcement. Read the thread here:
http://www.openwall.com/lists/oss-security/2015/08/11/8
Please let me know if you run across any problems with this release.
-Steve
11:30 a.m.
On 08/13/2015 02:30 PM, Steve Grubb wrote:
...
If you ausearch -i on that file, your screen will get underlines with all the
text. An attacker could change this to be worse than just underlining your
text. They could try to write to the window title and then bounce that back in
black on black text to the command prompt hoping the admin will press enter.
Wow; that's something unexpected. Thanks for this extra info Steve; I
may need to backport to my version.
Are these changes isolated to the ausearch/aureport code sets or inside
libs?
Thx,
LCB
--
LC Bruzenak
magitekltd.com
12:04 p.m.
On Friday, August 14, 2015 09:30:56 AM LC Bruzenak wrote:
On 08/13/2015 02:30 PM, Steve Grubb wrote:
> ...
>
> If you ausearch -i on that file, your screen will get underlines with all
> the text. An attacker could change this to be worse than just underlining
> your text. They could try to write to the window title and then bounce
> that back in black on black text to the command prompt hoping the admin
> will press enter.
Wow; that's something unexpected. Thanks for this extra info Steve; I
may need to backport to my version.
Are these changes isolated to the ausearch/aureport code sets or inside
libs?
Well, that's where it gets complicated. Ausearch was converted to use auparse
for interpretations a while back. So, I had to patch the whole mess. Any
utility that uses auparse can also unwittingly pass along terminal escape
sequences through the interpret function.
So, what I did in auparse is to create a new function:
auparse_set_escape_mode. It takes one argument which can be any of:
AUPARSE_ESC_RAW - do nothing. Just passes control characters and all.
AUPARSE_ESC_TTY - escape control characters by turning them to octal. This is
the same thing syslog does. This is the default.
AUPARSE_ESC_SHELL - escape control characters and any of these "'`$\ by
prepending a \ to the character
AUPARSE_ESC_SHELL_QUOTE - escape control characters and any of these
;'"`#$&*?
[]<>{}\ by prepending a \ to the character.
Once this is set, every output from auparse is escaped. This will allow
ausearch/report to shell escape output in a future release. Additionally, it
was found you could inject control characters by the auditctl command. It now
prevents that.
So, the patch is rather large and ugly:
https://fedorahosted.org/audit/changeset/1122
You have to be on a susceptible terminal emulator to have any real problems.
Its for this reason the Security Response Team rates this as low. But in terms
of audit, you don't want a file path to suddenly change to black on black text
so that you can't see the full path.
-Steve
3417
days inactive
3418
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
LC Bruzenak -
Steve Grubb