Security | FyhTech

Privilege escalation in groonga-httpd (CVE-2019-11675)

Overview

System affected: Debian packages of groonga/-httpd 6.1.5-1
Software-Version: 6.1.5-1
User-Interaction: Not required
Impact: Local root
CVE: CVE-2019-11675

Detailed Description

The path of the logdirectory of groonga-httpd can be manipulated by user groonga:

Anatomy of a Linux container rootkit

This year I gave a talk at the Easterhegg 2019 about a Linux kernel rootkit that can handle containers. I mainly presented my Bachelor work from 2017 with some improvements.

Details of a logrotate race-condition

Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. A malicious user could trick logrotate to create files in any directory if it is executed as root. This might lead into a privileged escalation.

Abusing a race condition in logrotate to elevate privileges

Together with a friend we took part of the Capture The Flag at the 35C3. One challenge was that one:

Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.

I "tried harder" and passed the exam

oscp

What the hack is "E-Brief"

This week I received an email from my bank company. They advertised that they are cooperating with the "Post"(Austrian mailprovider) and recommended to use "E-Brief" for notifications from them. My first thought was: "it's E-Mail". Because E-Brief translated from german means: "E-Mail". So I took a look in the FAQ's from the Post and they wrote things like(translated from German):

Your E-"Letter Box" from everywhere

High security

Full Disclosure: Remote-Command-Execution in PHKP

Overview

System affected: PHKP
Software-Version: including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b
User-Interaction: Not required
Impact: Remote-Code-Execution
CVE: CVE-2018-1000885

Detailed Description

According to the project-page "PHKP is an implementation of the OpenPGP HTTP Keyserver Protocol (HKP) in PHP".

cryptorecord 0.9.2 released

I proudly pronounce the first (pre-)release of cryptorecord. Cryptorecords is a ruby gem that provides an API and scripts for creating crypto-related dns-records(e.g. DANE). Currently it supports TLSA, OPENPGPKEYS and SSHFP but I plan to support other records in future. The API doesn't create any keys or certificates. It just takes existing keyfiles to create the DNS-records.

Postfix: verified TLS with DANE

TLS via SMTP is opportunistic which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, DANE could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified.

Thoughts about DNSsec

DNS is one of the oldest but also one of the most important network protocols we have and actively use. Dan Kaminsky discovered 2008 some serious flaws in DNS which is very well explained on this site. DNSsec is supposed to solve those problems.