[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
From: |
Maxim Cournoyer |
Subject: |
bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) |
Date: |
Mon, 14 Oct 2019 12:37:49 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hello,
Tobias Geerinckx-Rice <address@hidden> writes:
> Ludo',
>
> Thanks for your report :-p
>
> The 1777 is obviously very bad, no question. However: question:
>
> Ludovic Courtès 写道:
>> I don’t see how to let the daemon create ‘per-user/$USER’ on behalf
>> of
>> the client for clients connecting over TCP. Or we’d need to add a
>> challenge mechanism or authentication.
>
> I need more cluebat please: say I'm an attacker and connect to your
> daemon (over TCP, why not), asking it to create an empty
> ‘per-user/ludo’.
>
> Assuming the daemon creates it with sane permissions (say 0755) &
> without any race conditions, what's my evil plan now?
>
> Kind regards,
>
> T G-R
It's not yet clear to me how an actual attack would work, but IIUC when
connecting over TCP there's no 'trusted' way to verify the user is
actually the user it says they are; so they could impersonate at will
(and make use of another user's local directory, perhaps arranging to
write something nasty in there).
Is my understanding correct?
Maxim
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/14
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/14
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/14
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix),
Maxim Cournoyer <=
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/15
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/15
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), pelzflorian (Florian Pelz), 2019/10/16
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/16
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), pelzflorian (Florian Pelz), 2019/10/16
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Tobias Geerinckx-Rice, 2019/10/16
- bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix), Ludovic Courtès, 2019/10/16