According to this post at Seclists, the udev rules in version 3.0 of the US and the rc.sysint script in version 2.0 are both world-writable. Both of these have root privilege.
Because of the slack file permission management in Red Star 3.0, the device manager for HP 1000-series LaserJet printers, /etc/udev/rules.d/85-hplj10xx.rules, can be modified to include RUN+= arguments. These commands will run on on the udev daemon as root. There's a demonstration at github.
Udev's main job is to watch the /dev (devices) directory, and when a device is plugged into a USB port, it loads the appropriate ruleset.
By writing to the rc.sysint file in the older Red Star 2.0, an attacker can execute commands as root (demonstration).
Rooted: "HackerFantastic's" Red Star 3.0 vulnerability demo
Both vulnerabilities provide privilege escalation for local users.As The Register noted when the OSX-skinned operating system first leaked, there's also an error in the OS's Software Manager. Although root access is denied by default, users can install unsigned software. Developer RichardG has created an RPM that gets around the default restrictions.
The OSX-like skin put on top of Red Star OS's Linux innards was first seen in February after Will Scott spent time in Pyongyang teaching computer science and returned with screenshots.
El Reg expects the current crop of vulns will by no means be the last to emerge in the OS.
No comments:
Post a Comment