April 12, 2018 at 20:25“Holey beep”: critical vulnerability found in Linux “beeper”
A vulnerability has been discovered in beep, a third-party Linux module, that allows you to run side effects of files and view their types without having the appropriate rights. We will tell you what the essence of the problem is and how options for solving it were proposed by the IT community. / Flickr / chris / cc
The beep module generates sound alerts about errors that occur when working on the command line and in general allows you to control the “beeper” of the PC. The utility is created developer Jonathan Nightingale (Johnathan Nightingale), who wanted to get more options when working with the console than let the usual command printf ( "\ a").
The first news came on holeybeep.ninja , which describes the vulnerability in a satirical manner. The Register believes that this web page is an attempt to ridicule those who popularize bugs and create separate sites for them. Later official error reports began to appear.
A report released by Debian noted that Beep provides information about the presence of any file, even if it should be hidden from the user who made the request.
In this case, the system gives information about the file type, even if the requesting user does not have rights to this (for example, the socket may display a message: “No such device or address”). This should not happen if the file is in a directory inaccessible to the calling user. In addition, with the help of a vulnerability, attackers can launch side effects and block the launch of arbitrary programs. For example, running beep -s -e / bin / sh will result in an ETXTBSY ("Text file is busy") error, which can be called a DoS attack.
As GitHub users note, the reason for the vulnerability is related to the occurrence of races when signal handlers use the free () function. This feature is not included.to the async-signal-safe list, that is, it cannot be safely called inside the handler. The operation of free () may be interrupted by another signal, which causes a violation of data structures and global variables of heap control .
A GitHub resident notes that in the latest version of beep.c, one handler works with two signals at once (SIGINT and SIGTERM). This allows you to re-run handle_signal () several times in a row, which leads to a double release of memory.
/ Flickr / tomás fano / cc
To fix the vulnerability, developers of some operating systems (for example, Ubuntu) released a fix . However, according to the community, it does not address all the difficulties associated with Beep. As noted in a discussion on GitHub, he solves the racing situation, but problems with data disclosure remain.
For these reasons, as a radical solution to the problem, researcher Hanno Böck suggests stopping installing Beep as suid. He also noted that, in principle, the Beep module is not needed by modern devices, since beevers are not installed on all computers. As a substitute, Hanno Bock suggests returning to the simple and secure printf ("\ a") command, as the developers of the SUSE distribution did.
What does beep do
The beep module generates sound alerts about errors that occur when working on the command line and in general allows you to control the “beeper” of the PC. The utility is created developer Jonathan Nightingale (Johnathan Nightingale), who wanted to get more options when working with the console than let the usual command printf ( "\ a").
The essence of vulnerability
The first news came on holeybeep.ninja , which describes the vulnerability in a satirical manner. The Register believes that this web page is an attempt to ridicule those who popularize bugs and create separate sites for them. Later official error reports began to appear.
A report released by Debian noted that Beep provides information about the presence of any file, even if it should be hidden from the user who made the request.
$ ls -ld /etc/hidden/
drwx------ 2 root root 4096 Apr 7 08:18 /etc/hidden/
$ ls -l /etc/hidden/secret
ls: cannot access '/etc/hidden/secret': Permission denied
$ ls -l /etc/hidden/nonexistent
ls: cannot access '/etc/hidden/nonexistent': Permission denied
$ beep -e /etc/hidden/secret
ioctl: Inappropriate ioctl for device
ioctl: Inappropriate ioctl for device
$ beep -e /etc/hidden/nonexistent
Could not open /etc/hidden/nonexistent for writing
open: No such file or directory
In this case, the system gives information about the file type, even if the requesting user does not have rights to this (for example, the socket may display a message: “No such device or address”). This should not happen if the file is in a directory inaccessible to the calling user. In addition, with the help of a vulnerability, attackers can launch side effects and block the launch of arbitrary programs. For example, running beep -s -e / bin / sh will result in an ETXTBSY ("Text file is busy") error, which can be called a DoS attack.
As GitHub users note, the reason for the vulnerability is related to the occurrence of races when signal handlers use the free () function. This feature is not included.to the async-signal-safe list, that is, it cannot be safely called inside the handler. The operation of free () may be interrupted by another signal, which causes a violation of data structures and global variables of heap control .
A GitHub resident notes that in the latest version of beep.c, one handler works with two signals at once (SIGINT and SIGTERM). This allows you to re-run handle_signal () several times in a row, which leads to a double release of memory.
/ Flickr / tomás fano / cc
Patches and problem solving
To fix the vulnerability, developers of some operating systems (for example, Ubuntu) released a fix . However, according to the community, it does not address all the difficulties associated with Beep. As noted in a discussion on GitHub, he solves the racing situation, but problems with data disclosure remain.
For these reasons, as a radical solution to the problem, researcher Hanno Böck suggests stopping installing Beep as suid. He also noted that, in principle, the Beep module is not needed by modern devices, since beevers are not installed on all computers. As a substitute, Hanno Bock suggests returning to the simple and secure printf ("\ a") command, as the developers of the SUSE distribution did.