An gano wani rauni (CVE-2022-4415) a cikin tsarin tsarin-coredump, wanda ke aiwatar da ainihin fayilolin da aka haifar bayan faɗuwar tafiyar matakai, yana ba da damar mai amfani na gida mara gata don tantance abubuwan ƙwaƙwalwar ajiya na hanyoyin da suka dace da ke gudana tare da tushen tushen suid. An tabbatar da batun daidaitawar tsoho akan openSUSE, Arch, Debian, Fedora da SLES rabawa.
Rashin lahani yana faruwa ne ta hanyar rashin daidaitaccen tsari na fs.suid_dumpable sysctl parameter a cikin systemd-coredump, wanda, lokacin da aka saita zuwa ƙimar da aka saba da ita na 2, yana ba da damar ƙirƙirar jujjuyawar mahimmanci don matakai tare da tutar suid. An fahimci cewa ainihin fayilolin tsarin suid da kernel ya rubuta dole ne su sami haƙƙin samun damar saita don ba da damar karantawa ta tushen mai amfani kawai. The systemd-coredump utility, wanda ake kira da kernel don adana ainihin fayiloli, yana adana ainihin fayil ɗin a ƙarƙashin tushen ID, amma yana ba da damar karanta tushen ACL zuwa ainihin fayilolin dangane da ID na mai shi wanda ya fara aiwatar da shi. .
Wannan fasalin yana ba ku damar zazzage manyan fayiloli ba tare da la'akari da gaskiyar cewa shirin zai iya canza ID ɗin mai amfani ba kuma yana gudana tare da manyan gata. Harin ya ta'allaka ne ga gaskiyar cewa mai amfani zai iya ƙaddamar da aikace-aikacen suid kuma ya aika masa da siginar SIGSEGV, sannan ya loda abubuwan da ke cikin babban fayil ɗin, wanda ya haɗa da yanki na ƙwaƙwalwar ajiyar tsarin yayin ƙarewa mara kyau.
Misali, mai amfani zai iya gudanar da “/ usr/bin/su” kuma a cikin wani tashar ya ƙare aiwatar da shi tare da umarnin “kill -s SIGSEGV `pidof su`”, bayan haka systemd-coredump zai adana ainihin fayil ɗin a cikin /var. /lib/systemd/ directory coredump, saita ACL don shi wanda ke ba da damar karantawa ta mai amfani na yanzu. Tun da suid utility 'su' yana karanta abubuwan da ke cikin /etc/shadow zuwa ƙwaƙwalwar ajiya, mai hari zai iya samun damar yin amfani da bayanai game da hashes na kalmar sirri na duk masu amfani da tsarin. Sudo mai amfani ba shi da sauƙin kai hari, tunda ya hana ƙirƙirar manyan fayiloli ta hanyar iyaka.
Dangane da masu haɓaka tsarin, raunin ya bayyana yana farawa tare da sakin tsarin 247 (Nuwamba 2020), amma bisa ga mai binciken wanda ya gano matsalar, sakin 246 shima yana shafar. duk mashahurin rabawa). Gyaran yana samuwa a yanzu azaman faci. Kuna iya bin diddigin gyare-gyare a cikin rabawa akan shafuka masu zuwa: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Gentoo, Arch. A matsayin tsarin tsaro, zaku iya saita sysctl fs.suid_dumpable zuwa 0, wanda ke hana aika juji zuwa mai sarrafa tsarin-coredump.
source: budenet.ru