Episode 36

Posted on Monday, Jun 17, 2019
Security updates for DBus, vim, elfutils, GLib and more, plus Joe and Alex look at another npm package hijack as well as some wider discussions around the big vim RCE of this week.

Show Notes

Overview

Security updates for DBus, vim, elfutils, GLib and more, plus Joe and Alex look at another npm package hijack as well as some wider discussions around the big vim RCE of this week.

This week in Ubuntu Security Updates

43 unique CVEs addressed

[USN-4012-1] elfutils vulnerabilities

[USN-4013-1] libsndfile vulnerabilities

[USN-4014-1, USN-4014-2] GLib vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • GLib contains GIO which is library to abstract file-IO operations
  • During file copying, would create the new file with default permissions and then once copy was done would then set the correct permissions (based on the original files permissions)
  • Could allow other users to read the file during the copy process
  • Instead fix to create new file with restrictive permissions (only accessible by the current user) to avoid this

[USN-4015-1, USN-4015-2] DBus vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • DBus includes multiple authentication mechanisms - usually would just use credentials passed via UNIX sockets (is secure as is enforced by the kernel), but this is not supported on all platforms (Windows etc)
  • So includes another authentication mechanism - DBUS_COOKIE_SHA1
    • In this case, the authenticating user has to prove they are who they say by being able to read and provide a magic value from a keyring file which dbus drops in the user’s home directory
    • By abusing symlinks, it would be possible to point the local users keyring at some other file and cause DBus to read / write to some other file which was not intended
    • This could further be abused to point your local dbus keyring to root’s and cause DBus to eventually confuse the local user’s authentication to the bus as that of the root user and so allow an unprivileged user to authenticate as root and so then perform operations as root via DBus
  • Fixed by simply only allowing DBUS_COOKIE_SHA1 to authenticate as the same user as the DBus server owner - ie. if running DBus as root you can only authenticate as root, not as your local user (since this use-case is not actually used in practice)

[USN-4016-1] Vim vulnerabilities

  • 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • Most over-hyped bug of the week
  • Will discuss with Joe later in the episode, but briefly:
    • Vim includes support for ‘modelines’
      • This allows files to include custom settings such as indentation, file type etc so that editing is consistent
      • Only a subset of vim commands can be permitted - ie. set - and then not everything can be set by modelines - and is meant to be side-effect free
      • However, the source! command is still allowed - this reads extra commands from a file as though typed by the user and is done so outside the sandbox
      • So is possible to bypass the sandbox and execute arbitrary commands via the modeline (since vim supports running external commands from the editor itself)
      • PoC included running a reverse shell by just opening a crafted file
    • However, modelines are disabled by default in Debian (and hence Ubuntu) so unless a user had specifically enabled it in their own vimrc they are safe
    • Patched to disable sourcing a file from the modeline or from within the sandbox at all
  • One extra low priority issue when vim could be made to crash via a crafted spell file (this is used to store locally spelling additions etc)

[USN-4016-2] Neovim vulnerability

  • 1 CVEs addressed in Cosmic, Disco
  • See above from vim :)

[USN-3991-3] Firefox regression

Goings on in Ubuntu Security Community

Alex and Joe talk about another npm package hijack attack and the vim issue

Hiring

Robotics Security Engineer

Get in contact