[capsicum] fetch sandboxing



Hi guys,

I've been playing a bit with capsicum again. I studied the vulnerabilities
of the fetch utility.

There was a vulnerability due to an integer overflow which was not properly
checked. The patch is below:

Index: usr.bin/fetch/fetch.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/fetch/fetch.c,v
retrieving revision 1.74
diff -u -p -r1.74 fetch.c
--- usr.bin/fetch/fetch.c       21 Sep 2004 18:34:19 -0000      1.74
+++ usr.bin/fetch/fetch.c       14 Nov 2004 14:03:12 -0000
@@ -584,7 +584,8 @@ fetch(char *URL, const char *path)
        /* suck in the data */
        signal(SIGINFO, sig_handler);
        while (!sigint) {
-               if (us.size != -1 && us.size - count < B_size)
+               if (us.size != -1 && us.size - count < B_size &&
+                   us.size - count >= 0)
                        size = us.size - count;
                else
                        size = B_size;


I write a simple patch to enter capability mode right after the counter was
started:

--- /usr/src/usr.bin/fetch/fetch.c.orig	2015-01-25 21:23:48.000000000 +0400
+++ /usr/src/usr.bin/fetch/fetch.c	2015-01-25 22:42:19.000000000 +0400
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD: releng/10.1/usr.bin/
 #include <string.h>
 #include <termios.h>
 #include <unistd.h>
+#include <sys/capability.h>
 
 #include <fetch.h>
 
@@ -713,6 +714,10 @@ fetch(char *URL, const char *path)
 	/* start the counter */
 	stat_start(&xs, path, us.size, count);
 
+	/* Enter capability mode */
+	if (cap_enter() < 0 && errno != ENOSYS)
+		warnx("Unable to enter capability mode");
+
 	sigalrm = siginfo = sigint = 0;
 
 	/* suck in the data */

Incidently, the vulnerable code was right after the sandboxing code. 

Testing the patch:

fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:16/fetch.patch
fetch.patch                                   100% of  626  B 1762 kBps 00m00s

fetch is able to work in capability mode once the descriptors have already
been opened.


However, overwriting an existing file results in:
fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:16/fetch.patch
fetch.patch                                   100% of  626  B 2465 kBps 00m00s
fetch: fetch.patch: rename(): Not permitted in capability mode

Examining the code shows that it calls rename().

       if (tmppath != NULL && rename(tmppath, path) == -1) {
                warn("%s: rename()", path);
                goto failure_keep;
        }

That's where I think that we should use renameat() instead.

Feedback to improve the patch is welcomed. An interesting consequence of the
patch is that it prevents explotation of a known vulnerability in fetch.

In my opinion, this shows that capsicum is very useful in mitigation 
known and unknown vulnerabilities. 

Kind regards,
//Logan
C-x-C-c




This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.