CVE-2015-0235: “Highlights”

Please don’t over hype the vulnerability. Here’s the quick and dirty things you need to know.

1.CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems using older versions of the GNU C Library (glibc versions less than 2.18).

2.glibc is a core component of Linux used to implement C libraries.

3.Patch existed in 2013 and is included with glibc-2.18.

4.It’s not another Heartbleed; the attack surface is still largely unknown.

5.Capable of remote or local execution.

6.In contrast to a vulnerability like Heartbleed, this issue is not always exploitable. In fact,
in a general sense, this is not an easy bug to exploit.
a.Only one easily-exploitable case has been identified so far, Exim Mail Server.

7.This issue is difficult to test for, as the full attack surface is not yet known.
a.Glibc Version checks:
i.root$ /lib/x86_64-linux-gnu/
ii.root$ ldd –version

8.Deep dive here:


Bypass Secure Mount Points on Linux

To mount or not to mount… it’s really not a question. You want your data? Mount your drives. But how do you do it securely? Can we limit the chance of privilege escalation through restrictive mounts?

Let’s look at some of the common mounting options within Linux; by default filesystems are mounted with the following options set: rw, suid, dev, exec, auto, nouser, and async.

rw – Makes the drive read & and writable.
suid – Allows for the SUID or GUID bits to be active.
dev – Interprets character or block special devices.
exec – Permits the execution of binary files.
auto – Allows the mounting of the filesystem with the ‘mount -a’ command.
nouser – Forbids a non-root user from mounting the filesystem.
async – All input and output on the filesystem should be done asynchronously.

For security we have these few basic mount options: (I’ll cover encryption later on down the line)

ro – Mounts the filesystem as read only.
nodev – Denies the interpret of block special devices on the filesystem.
noexec – Denies binary file execution.
nosuid – Denies the use of SUID and GUID bits on files.

Application: mount -o nodev,noexec,nosuid /dev/{deviceID} /tmp
–This mounts the filesystem specified with to /tmp and doesn’t allow for suid or guid bits, execution of binaries, and does not interpret characters or block special devices.
–Things shouldn’t be allowed to execute from this directory. It allows for the writing of files such as logs and parsed data, but an attacker cannot execute malicious binary files from this location.

Be careful and put some deep thought into mount options filesystems. These options can prevent security incidents from becoming more dangerous. I use the word “prevents” because these options can be bypassed by using /lib/ to execute binaries residing on filesystems.

Syntax for bypassing restrictive mounts on older kernels:
$ /lib/ ~/id
uid=1001(edd) gid=1001(edd) groups=1001(edd),1002(wheel)

Syntax for bypassing restrictive mounts on newer kernels:
Execute fixelf.c to bypass.
{REF for fixelf.c}