Dirty Cow: Privilege Escalation Exploit, Linux Kernel

Okay so likely have heard about this, if you like me use Linux daily, in your college, professional or hobbyist life but like what the heck is it really?

To paraphrase from the initial disclosure docs:

the privilege-escalation vulnerability potentially allows any installed application, or malicious code smuggled onto a box, to gain root-level access and completely hijack the device.

The programming bug gets its name from the copy-on-write mechanism in the Linux kernel; the implementation is so broken, programs can set up a race condition to tamper with what should be a read-only root-owned executable mapped into memory

So exactly what does all that mean?  It means your web facing servers and even Androids have a big time issue with multi tasking in a sense.  This bug allows for what is called a ‘race condition’  which as you may have guessed makes for a first one in wins scenario.  The bad part is that that allows the kernel to be tricked into mapping a new ‘page’  (a coding term for the memory allocation) without fully un-allocating or ‘unlocking’  the previous one. This in turn allows for a bad memory page to get into a root-owned (the almighty full system admin) which is bad news.  The process that is overwritten or bypassed is called Copy-On-Write  (hence the COW part of the name) and being that the race condition is executed by using and triggering dirty paging within or  in an effort to gain privileged access its been Dubbed Dirty CoW.  If you feel so inclined to read the much more technical details feel free to read up on CVE 2016-5195

F24 Updated ISOs available. (Kernel with Dirty Cow Patched)

It is with great pleasure to announce that the Community run respin team has yet another Updated ISO round.  This round carries the 4.7.9-200 kernel along with over 800 MB of updates (avg,  some Desktop Environments more, some less) since the Gold release back in June.

Torrents will be available at the same link as usual alongside the .iso files.

You have heard about this nasty privilege escalation bug called ‘Dirty Cow’ , well rest assured the infected farm and farmer have been found and the vaccine has been applied to the kernel in these updates. More info on ‘Dirty Cow’  on my blog post on it here.

Below are the contents of Both CHECKSUM512-20161023 and HASHSUM512-20161023 (the later is torrent hashes):

cat CHECKSUM512-20161023

(Clearsigned with 0xF59276298D2264944)

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

8d1c8b9637b1ccc16233ae740e6e0137485574a6f02ab05e66e5a6fb8d5c18a6671395e14341e2cb45f902cd20a4ef987bd83265b68932b8c2183ff2b5194e5e F24-source-20161023.iso
aee5e894dc6b34e207aaa0f23f7a4fd6d16577846d5f7ab3568a234f9e0b2bea1ae814a2291852cb2dbba3930b046ce31cffbcadaf5bff72208a36176eabbecd F24-x86_64-CINN-20161023.iso
6875a43e59a899e4520260e19fb28bb7ade59565b46fc6ad4f22ca8da01c57822ca7ed9373f795377dfaf750d28b6df6c1c083da5d5a0628f8d26553fb744ea0 F24-x86_64-KDE-20161023.iso
197ea70be8337f97f60e2558188e82f53eae0208d3166a7356267dc515e0b7c6204e4b5aae1ae4b44150ff59881a7c2b3d8c998e9dd715872d8c2fe1fe0485c3 F24-x86_64-LXDE-20161023.iso
7f4b48998cb716042a899089f1b292aa77ce5fca44c8d69ceb25f8769da5d9bbe2b29cef728630ae643ad4fc290c64adf270debb228454e620509f039294849c F24-x86_64-MATE-20161023.iso
ffb77a60e5895d4521c58efcbb41bb6afcca7a9a2b3320929cecb9422d00caa1cb7e5f23b04bae9644bf6ea0dae1ab2c9674f4f7ba243acd6250fd5e90221c1d F24-x86_64-WORK-20161023.iso
4ba2915a0ba51b870e7a51eb8d658464bac99f6d998f9f06c26ab8642fedd0212c2ab47c256c7fb5be060494dd6c8eb3279a0d84ca8516db199e45e612d2e502 F24-x86_64-XFCE-20161023.iso
—–BEGIN PGP SIGNATURE—–

iQIVAwUBWA4cJVknYpjSJklEAQJ/JA/+MU/4Xrq8fXdLRbvA4OF62ppOgwaYndi+
iU2bLNACA8251FW8V/okP4zk0yq7s2kWJpjc/ULjmBUflXaUFQJM94C8/vzkhRBF
QDi08YddEhZwcWXO+0Xut+7i8omrvGlXtlgFC9MZrzug2ZMhFBFWs+i26tTlFrsQ
LF4P6GyBu7ozNSuQMUGFz26jmC2lxpWvJHXLqgoHdpKK/TvIlUSFzO5viB4nGfaH
MoUFR8f4pSvFXzo9j7/IbzDjR3j1/UHjT8TKmGIaVlAMhtxkEXUcbpwetvZ2xl3G
rYjFWibMkeW10IAsCLJ+zXPEg0CcBL/+PXjvKHBas/A2PgD0B8VbLgXOpk26wJHq
tMEcgTGNLZqukVysr2eWRNtnaDgWvngIEL8VgtfuYTAOWR4bnpuK30ll22mEA91N
ui8djInyd37nLzVpMdlSD1gnf/OkOu5BxH4Qslw7GNZZHXNyuV1bDIAOtC67CXk3
PRYUdb3/be9MLPYjuvNdsKlUBUBFE/zPHtTOdS1susCylqjJbIWNA8DEOo8pTWmv
+npkvAb647RV20c/5nr5TL0xZvD7dTj/geBPZ8xnf3vSp/p5uNUeBOJ+2JVWj117
4q4yhEb1bEPL0vStyyoFuDHCI8wEDJkwRrZG8PE0I1m6B19lXoA/nfYWd/h6OaQ3
w0tSYvcHqpQ=
=+BTN
—–END PGP SIGNATURE—–

cat HASHSUM512-20161023

(Clearsigned with 0xF59276298D2264944)

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

c45662c568ecb116fd18e8f2fae4dedb43a17bdd F24-x86_64-CINN-20161023.iso
379d63a42b3e218cc0aefebc176eabe4c508c622 F24-x86_64-KDE-20161023.iso
89cd48b48d4b1163ac0b81fa639b40ae11fc36ae F24-x86_64-LXDE-20161023.iso
9dfb8df60faa611178d430d897ea365f3df4bd00 F24-x86_64-MATE-20161023.iso
240f78a935d54ef5c92491ee14334b14ad4d5951 F24-x86_64-WORK-20161023.iso
4af163e1162642e8d2a2632878106b94c58ac22a F24-x86_64-XFCE-20161023.iso
—–BEGIN PGP SIGNATURE—–

iQIVAwUBWA4cRlknYpjSJklEAQIbKw//U9SbHay3ma/wo1fz1atkVmabYqsAHUZP
NA4iF1iJuFIfgkDIxlnoF8cAHAnxymp13oeA5jd5Mrx8m3TsLkFlv8XRG9tSjyXp
zGtrkxCrqSMNlE71FrU7iicAhOhDa0MvX14o76Zvn03oLfeWCI+Rjl2XTHDwnxPf
vcKKrRR7QSOfD8LjbzaIm1HmnRD83uU2ZEWixdrFwcf0Ris1iiaXffnWLyi11Y0M
TYtu2UWSot/FNsa0tprqh/w0Pb1EOJz6xCjOHbUAlZg0K2WzQd8k+be3AzIaZRUs
r8HmN6xW8RqUnoojk0sbeA3uMAg6UkECbhmI//RLw89g24WBfOGE2bJpBCRIHmZp
aXohVaR9vOpUvjcovg8Ux1UzI01u8C9ncXoAfSLpouaE3iecafNswkGC5NzTKUE+
T6ipz8ORJ14dgnXW0piztf1+tg3uy+P86qcLj2cAX1UKsYPCR6/oUlAt3iO0BPbA
KJxwTNzITIZIA0V83qGQyyiPYH9vv4oP9D/bZjomOpyGchI0BlpA+ldQYXIXtXFv
o697JA8gBzYIjjdqgKZn6srRjHoWDMyLv9qKFShjtadnaKcc2zU1Z3+JA9Bshuhu
LB0ER9kVDhrAblZZZ2GqXhUvSVvZYv86qt6Jg1x/HouLHD0AaOT8oJ/9sdbJyZZl
l5Lt7JcoMH8=
=Vk0T
—–END PGP SIGNATURE—–

Badlock: Samba Vulns & Patching your machines

Hello again folks,

Unless you are living in a black hole aka SCIF, or otherwise totally disconnected from various news outlets, you have likely heard about the numerous vulns that dropped as a series of CVEs better known as  ‘badlock’ Tuesday. Well, there is good news for those on Redhat based distros! Patches are already in the default repos for Fedora / RHEL / CentOS.

So  a  quick  layman’s rundown and then on to how to patch / update:  (hyperlinks direct to the respective Red Hat Access Customer Portal advisories), below are  tl;dr  briefs of each vulnerability.

For those desiring the more technical read:  Badlock: Red Hat Security Announcement

CVE-2015-5370

Multiple flaws were found in Samba’s DCE/RPC protocol implementation in which a condition was created where a remote, authenticated attacker could cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle (MITM) attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).

CVE-2016-2110

Several flaws were found in Samba’s implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.

LDAP (with NTLMSSP authentication) is used as a client by various administrative Samba project tools (for example, “net”, “samba-tool”, “ldbsearch”, or “ldbedit”).

CVE-2016-2111

It was discovered that Samba configured as a Domain Controller (DC) would establish a secure communication channel with a machine using a spoofed computer name (aka rogue machine). A remote attacker would then in this  scenario be able to observe network traffic to obtain session-related information about the spoofed machine.

This flaw only affects Samba running as a classic primary DC, backup DC, or Active Directory DC.

CVE-2016-2112

It was found that Samba’s LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle (MITM) attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.

This flaw affects all possible roles Samba can operate in.

The security advisory patch for this flaw introduces a new smb.conf option: smb.conf

LDAP setup

Note: The LDAP server does not have an option to enforce strong 
authentication yet. The security patches mentioned herein introduce a new 
option called ldap_server_require_strong_auth, possible values of which are
 no, allow_sasl_over_tls and yes.

As the default behavior was set to no before, you may have to explicitly change this option until all clients have been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors. Windows clients and Samba member servers already use integrity protection.

CVE-2016-2113

It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (like the one  made famous recently  known as ‘Drown‘)

This flaw affects all possible roles Samba can operate in.

The security advisory patch for this flaw introduces a new smb.conf option: smb.conf

CVE-2016-2114

It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server.

This flaw affects the following server roles: standalone server, member server, classic primary DC, backup DC, and Active Directory DC. Samba server roles

Mitigation:

An explicit server signing = mandatory configuration option in the [global] section of the smb.conf file together with server min protocol = SMB2, should prevent connections without signing protection. However, this may cause older clients without support for SMB2 (or higher) to not be able to connect.

Patched versions are in default repos: 

4.4.2 (in f24), 4.3.8 (in f23) and 4.2.11 (in f22)

CVE-2016-2115

It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (Very similar to 2016-2114 but  via  a different  packet  modification vector)

The security advisory patch for this flaw introduces several new smb.conf options: smb.conf

Mitigation:

An explicit client signing = mandatory configuration option in the [global] section of the smb.conf file.

This flaw affects all possible roles Samba can operate in.

Patched versions are in default repos: 

4.4.2 (in f24), 4.3.8 (in f23) and 4.2.11 (in f22)

CVE-2016-2118

DCE/RPC is the specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. The Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups. The protocol exposes the “account database” for both local and remote Microsoft Active Directory domains. The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies. This protocol, with minor exceptions, enables remote policy-management scenarios. Both SAMR ( security Account Manager –Remote) and LSA (Local Security Authority) protocols are based on the DCE 1.1 RPC protocol.

These protocols are typically available to all Windows installations, as well as every Samba server. They are used to maintain the Security Account Manager database. This applies to all roles (for example, standalone, domain controller, or domain member).

---

PATCH TIME:

---

Fedora 22

sudo yum update samba

Fedora 23 / 24 Alpha

sudo dnf update samba

Centos 6 / 7:

 sudo yum update samba

 

Git clients & servers need checked. Pre-2.7 bugs.

Courtesy of Laël Cellier we are now aware of  several rather nasty  bugs in  git versions 1.7 -1.9, even tho they were patched in 2.7  (released back in Feb, rather quietly  I may add).  The bugs stem mostly form  signed vs. unsigned  integers in a strcopy function path_name()….  okay so now in layman’s terms what the heck does all that mean?

Essentially  when you have a really long  filename or  repo using files with long names using a older version of  git,  there runs a verifiable risk that you run into what is know as a heap_overwrite   aka  100%+ of  container.

 

Source:  git-server-client bugs

As if you needed another warning / reason to ditch RC4 and WPA1…..here is another.

Security researchers recently  re-did exploit tests on WPA-TPIK and RC4 protected networks and sites, and they showed a once theoretically  attack is  much easier and  practically,  aka  more worth an attackers’ time…. Full Article: http://arstechnica.com/security/2015/07/once-theoretical-crypto-attack-against-https-now-verges-on-practicality/