GitLab

capng_lock sets securebits in an attempt to prevent regaining capabilities using setuid-root programs. This works, but it has little effect on setcap’d programs, and it allows a user to run setuid programs as uid 0 but without capabilities, which is potentially dangerous.

seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs in a way that changes the relationship between the setuid system call and the getresuid saved set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges.

•MLIST:[oss-security] 20140429 local privilege escalation due to capng_lock as used in seunshare
•URL: http://openwall.com/lists/oss-security/2014/04/29/7
•MLIST:[oss-security] 20140430 Re: local privilege escalation due to capng_lock as used in seunshare
•URL: http://openwall.com/lists/oss-security/2014/04/30/4
•MLIST:[oss-security] 20140507 Re: local privilege escalation due to capng_lock as used in seunshare
•URL: http://openwall.com/lists/oss-security/2014/05/08/1
•BID:67341
•URL: http://www.securityfocus.com/bid/67341
•SECUNIA:59007
•URL: http://secunia.com/advisories/59007

(from redmine: issue id 3026, created on 2014-06-12, closed on 2014-06-24)

• Relations:
  • child #3028 (closed)
  • child #3029 (closed)
  • child #3030 (closed)
  • child #3031 (closed)