Security | FyhTech

OpenVPN: updating /etc/resolv.conf

OpenVPN comes with example-scripts to update /etc/resolv.conf using "resolvconf" or systemd-resolvconf. I don't use one of them therefore I modified the script so that it simply changes /etc/resolv.conf directly. I placed a variable "IMMUTEABLE" in this script. If IMMUTEABLE is set to 1, this script will change the fileattribute of /etc/resolv.conf to immuteable. In that way it is possible to prevent other programms like dhcp-clients to change /etc/resolv.conf while openvpn is running.

BSides 2019: Code diving for pop chains

bsides vienna 2019 talk

I gave a talk at the BSides 2019 Vienna about PHP Object Injection. Here is the abstract of this talk:

OkayCMS: Unauthenticated remote code execution

Identifier: AIT-SA-20191129-01
Target: OkayCMS
Vendor: OkayCMS
Version: all versions including 2.3.4
CVE: CVE-2019-16885
Accessibility: Local
Severity: Critical
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

OkayCMS is a simple and functional content managment system for an online store.

FreeRadius: Privilege Escalation via Logrotate

Identifier: AIT-SA-20191112-01

Target: FreeRadius
Vendor: FreeRadius
Version: all versions including 3.0.19
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-10143
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

FreeRadius is a modular Open-Source RADIUS suite.

I "tried harder" and passed another exam

osce emblem

CVE-2019-15741: Privilege Escalation via Logrotate in Gitlab Omnibus

Overview

Identifier: AIT-SA-20190930-01
Target: GitLab Omnibus
Vendor: GitLab
Version: 7.4 through 12.2.1
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-15741
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Vulnerability Description

GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate.

Privilege escalation in groonga-httpd (CVE-2019-11675)

Overview

System affected: Debian packages of groonga/-httpd 6.1.5-1
Software-Version: 6.1.5-1
User-Interaction: Not required
Impact: Local root
CVE: CVE-2019-11675

Detailed Description

The path of the logdirectory of groonga-httpd can be manipulated by user groonga:

Anatomy of a Linux container rootkit

This year I gave a talk at the Easterhegg 2019 about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.

Details of a logrotate race-condition

Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. A malicious user could trick logrotate to create files in any directory if it is executed as root. This might lead into a privileged escalation.

Abusing a race condition in logrotate to elevate privileges

Together with a friend we took part of the Capture The Flag at the 35C3. One challenge was that one:

Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.