"Holey beep": found a critical vulnerability in the "beeper" Linux
In beep, a third-party Linux module, a vulnerability has been discovered that allows you to run side effects of files and view their types without proper permissions. Let us tell you what the essence of the problem is and how the IT community proposed its solutions.
/ Flickr / Chris / CC
The beep module generates sound notifications about errors that occur when working on the command line and, in general, allows you to control the PC “beeper”. The utility was created by developer Jonathan Nightingale, who wanted to get more features when working with the console than the usual printf ("\ a") command allowed.
')
The first news appeared on the site holeybeep.ninja , which describes the vulnerability in a satirical manner. The Register believes that this web page is an attempt to make fun of those who popularize bugs and create separate sites for them. Later, official bug reports began to appear.
In a report published by Debian, it is noted that Beep provides information about the presence of any file, even if it should be hidden from the user who made the request.
In this case, the system displays information about the file type, even if the requesting user does not have the right to do so (for example, the socket may give the message: “No such device or address”). This should not happen if the file is in a directory that is inaccessible to the calling user. In addition, with the help of a vulnerability, attackers can trigger side effects and block the launch of arbitrary programs. For example, running beep -s -e / bin / sh will result in an ETXTBSY error (“Text file is busy”), which can be called a DoS attack.
As users of GitHub note, the cause of the vulnerability is related to the occurrence of races when using the free () function by signal handlers. This function is not included in the async-signal-safe list, that is, it cannot be safely called inside a handler. The operation of free () may be interrupted by another signal, causing a violation of the data structures and global variables controlling the heap .
The resident of GitHub notes that in the latest version of beep.c, one handler works with two signals at once (SIGINT and SIGTERM). This allows you to rerun handle_signal () several times in a row, which results in double memory freeing.
/ Flickr / Tomás Fano / CC
To eliminate the vulnerability, the developers of some operating systems (for example, Ubuntu) have released a fix . However, according to the community, it does not address all the difficulties associated with Beep. As noted in the discussion on GitHub, it solves the situation with the races, but problems with data disclosure remain.
For these reasons, as a cardinal solution to the problem, the researcher Hanno Bock (Hanno Böck) proposes to stop installing Beep as suid. He also noted that the Beep module is in principle not needed by modern devices, since not all computers are equipped with beeper. As a replacement, Hanno Bock suggests returning to the simple and safe printf ("\ a") command, as the developers of the SUSE distribution did.
/ Flickr / Chris / CC
What beep does
The beep module generates sound notifications about errors that occur when working on the command line and, in general, allows you to control the PC “beeper”. The utility was created by developer Jonathan Nightingale, who wanted to get more features when working with the console than the usual printf ("\ a") command allowed.
')
The essence of the vulnerability
The first news appeared on the site holeybeep.ninja , which describes the vulnerability in a satirical manner. The Register believes that this web page is an attempt to make fun of those who popularize bugs and create separate sites for them. Later, official bug reports began to appear.
In a report published by Debian, it is noted that Beep provides information about the presence of any file, even if it should be hidden from the user who made the request.
$ ls -ld /etc/hidden/ drwx------ 2 root root 4096 Apr 7 08:18 /etc/hidden/ $ ls -l /etc/hidden/secret ls: cannot access '/etc/hidden/secret': Permission denied $ ls -l /etc/hidden/nonexistent ls: cannot access '/etc/hidden/nonexistent': Permission denied $ beep -e /etc/hidden/secret ioctl: Inappropriate ioctl for device ioctl: Inappropriate ioctl for device $ beep -e /etc/hidden/nonexistent Could not open /etc/hidden/nonexistent for writing open: No such file or directory In this case, the system displays information about the file type, even if the requesting user does not have the right to do so (for example, the socket may give the message: “No such device or address”). This should not happen if the file is in a directory that is inaccessible to the calling user. In addition, with the help of a vulnerability, attackers can trigger side effects and block the launch of arbitrary programs. For example, running beep -s -e / bin / sh will result in an ETXTBSY error (“Text file is busy”), which can be called a DoS attack.
As users of GitHub note, the cause of the vulnerability is related to the occurrence of races when using the free () function by signal handlers. This function is not included in the async-signal-safe list, that is, it cannot be safely called inside a handler. The operation of free () may be interrupted by another signal, causing a violation of the data structures and global variables controlling the heap .
The resident of GitHub notes that in the latest version of beep.c, one handler works with two signals at once (SIGINT and SIGTERM). This allows you to rerun handle_signal () several times in a row, which results in double memory freeing.
/ Flickr / Tomás Fano / CC
Patches and problem solving
To eliminate the vulnerability, the developers of some operating systems (for example, Ubuntu) have released a fix . However, according to the community, it does not address all the difficulties associated with Beep. As noted in the discussion on GitHub, it solves the situation with the races, but problems with data disclosure remain.
For these reasons, as a cardinal solution to the problem, the researcher Hanno Bock (Hanno Böck) proposes to stop installing Beep as suid. He also noted that the Beep module is in principle not needed by modern devices, since not all computers are equipped with beeper. As a replacement, Hanno Bock suggests returning to the simple and safe printf ("\ a") command, as the developers of the SUSE distribution did.
Materials on the topic of corporate blog 1cloud:
Source: https://habr.com/ru/post/353374/
All Articles