Unbelievable That This Went Unnoticed for So Long

Posted on January 17, 2010

Hiding, with 20-20 Vision

What Linux specific software would you consider has arduous and scrutinising source code security reviews?

Aside from “the kernel”, you might have said the Linux firewall: Netfilter.

The title of this post is a quote from a suprised Linux Netfilter team member, in response to a bug report from Florian Westphal.

Florian noticed that non-privileged users could add/delete/modify Ethernet Bridging ACLs, actions normally restricted to the system administrator.

Can I Haz Evil Client?

To exploit the vulnerability, you need a custom client. The official ebtables utility won’t let you abuse the bug as it makes a privileged call for a raw socket (SOCK_RAW) long before calling the vulnerable kernel code. Since SOCK_RAW requires network admin capabilities (CAP_NET_ADMIN) normal users Do Not Pass Go.

To become a link layer $DEITY, an attacker could remove the privileged calls from the stock ebtables client or write a small program that just calls the vulnerable netfilter kernel routine (do_ebt_set_ctl).

Where Did I Put That Check?

The side effect of that earlier SOCK_RAW call was unintentional auditor misdirection. If you audit the client code – without referring to the kernel code – you completely miss the bug.

This “slap on the forehead” bug is an excellent reminder that when we review “systems” for security weaknessses, we need to evaluate related components, aswell as their interactions (“intended vs. actual”). If we don’t, we’re only looking at half the picture. This approach doesn’t just apply to code audits though: its equally valuable during real-world process audits.

Although a surprising omission, there is no suggestion this vulnerability was caused by premeditated client side security. That happens when misguided developers embed security checks solely in the client, often in the belief that no-one is as smart as they are. Vulnerability databases tell a different story.

What Can Developers Do About It?

An effective avoidance strategy for this type of bug is for developers to externalise their assumptions through the development of test cases (comments in code are nice, but give me a test case anyday). Test cases embody developers intentions and in the process, help keep the gun from the developers feet.

(via: CVE-2010-0007: Linux kernel netfilter ebtables Missing Check)

Image credit: bommelm├╝tzenkind