ProHoster > Блог > labaran intanet > Rashin lahani a cikin OverlayFS yana ba da damar haɓaka gata

Rashin lahani a cikin OverlayFS yana ba da damar haɓaka gata

A cikin Linux kernel, an gano rauni a aiwatar da tsarin fayil na OverlayFS (CVE-2023-0386), wanda za'a iya amfani dashi don samun tushen tushen tsarin akan tsarin da aka shigar da tsarin FUSE kuma yana ba da damar haɓaka sassan OverlayFS ta hanyar mai amfani mara gata (farawa da Linux kernel 5.11 tare da haɗa sunan mai amfani mara gata). An gyara matsalar a cikin reshen kernel 6.2. Za a iya bin diddigin buguwar sabuntawar fakiti a cikin rabawa akan shafuka: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.

Ana kai harin ta hanyar kwafin fayiloli tare da tutocin setgid/setuid daga ɓangaren da aka ɗora a yanayin nosuid zuwa ɓangaren OverlayFS wanda ke da Layer mai alaƙa da ɓangaren da ke ba da izinin aiwatar da fayilolin suid. Rashin lahani yana kusa da batun CVE-2021-3847 da aka gano a cikin 2021, amma yana da ƙananan buƙatun amfani - tsohuwar batun da ake buƙatar magudi na xattrs, wanda ke iyakance lokacin amfani da wuraren sunan mai amfani, kuma sabon batun yana amfani da bits setgid/setuid, waɗanda suke ba a sarrafa ta musamman a cikin sararin sunan mai amfani ba.

Attack algorithm:

  • Yin amfani da tsarin FUSE, ana ɗora tsarin fayil, wanda akwai fayil ɗin aiwatarwa na tushen mai amfani tare da tutocin setuid/setgid, mai isa ga duk masu amfani don rubutu. Lokacin hawa, FUSE yana saita yanayin zuwa "nosuid".
  • Ba a raba wuraren sunaye na mai amfani/mount.
  • OverlayFS an ɗora shi, yana ƙayyadaddun FS da aka ƙirƙira a baya a cikin FUSE azaman Layer na ƙasa da saman saman da ya dogara da jagorar rubutu. Dole ne a kasance a cikin babban fayil ɗin babban fayil ɗin da ba ya amfani da tutar "nosuid" lokacin hawansa.
  • Don fayil ɗin suid a cikin ɓangaren FUSE, abin taɓawa yana canza lokacin gyarawa, wanda ke kaiwa ga yin kwafinsa zuwa saman Layer na OverlayFS.
  • Lokacin yin kwafi, kernel ɗin baya share tutocin setgid/setuid, wanda ke haifar da fayil ɗin yana bayyana a cikin ɓangaren da ke ba da damar sarrafa saiti/setuid.
  • Don samun tushen haƙƙoƙin, kawai gudanar da fayil ɗin tare da tutocin setgid/setuid daga kundin adireshi da aka haɗe zuwa saman Layer na OverlayFS.

Bugu da ƙari, za mu iya lura da bayyanar da masu bincike daga ƙungiyar Google Project Zero na bayanai game da lahani guda uku waɗanda aka gyara a cikin babban reshe na Linux kernel 5.15, amma ba a canza su zuwa fakiti tare da kernel daga RHEL 8.x/9 ba. x da CentOS Stream 9.

  • CVE-2023-1252 - samun damar zuwa wurin ƙwaƙwalwar ajiya da aka riga aka saki a cikin tsarin ovl_aio_req lokacin yin ayyuka da yawa lokaci guda a cikin OverlayFS wanda aka tura a saman tsarin fayil na Ext4. Mai yuwuwa, raunin yana ba ku damar haɓaka gata a cikin tsarin.
  • CVE-2023-0590 - Samun dama ga ƙwaƙwalwar ajiya da aka rigaya a cikin aikin qdisc_graft(). Ana tsammanin aikin zai iyakance ga ƙarewar da ba ta dace ba.
  • CVE-2023-1249 An rigaya samun damar ƙwaƙwalwar ajiya a cikin lambar rubutu ta coredump yana faruwa saboda kiran da aka rasa zuwa mmap_lock a cikin file_files_note. Ana tsammanin aikin zai iyakance ga ƙarewar da ba ta dace ba.

source: budenet.ru

Add a comment