audit 2.4.4 released
Steve Grubb
sgrubb at redhat.com
Fri Aug 14 17:04:17 UTC 2015
On Friday, August 14, 2015 09:30:56 AM LC Bruzenak wrote:
> On 08/13/2015 02:30 PM, Steve Grubb wrote:
> > ...
> >
> > If you ausearch -i on that file, your screen will get underlines with all
> > the text. An attacker could change this to be worse than just underlining
> > your text. They could try to write to the window title and then bounce
> > that back in black on black text to the command prompt hoping the admin
> > will press enter.
>
> Wow; that's something unexpected. Thanks for this extra info Steve; I
> may need to backport to my version.
> Are these changes isolated to the ausearch/aureport code sets or inside
> libs?
Well, that's where it gets complicated. Ausearch was converted to use auparse
for interpretations a while back. So, I had to patch the whole mess. Any
utility that uses auparse can also unwittingly pass along terminal escape
sequences through the interpret function.
So, what I did in auparse is to create a new function:
auparse_set_escape_mode. It takes one argument which can be any of:
AUPARSE_ESC_RAW - do nothing. Just passes control characters and all.
AUPARSE_ESC_TTY - escape control characters by turning them to octal. This is
the same thing syslog does. This is the default.
AUPARSE_ESC_SHELL - escape control characters and any of these "'`$\ by
prepending a \ to the character
AUPARSE_ESC_SHELL_QUOTE - escape control characters and any of these ;'"`#$&*?
[]<>{}\ by prepending a \ to the character.
Once this is set, every output from auparse is escaped. This will allow
ausearch/report to shell escape output in a future release. Additionally, it
was found you could inject control characters by the auditctl command. It now
prevents that.
So, the patch is rather large and ugly:
https://fedorahosted.org/audit/changeset/1122
You have to be on a susceptible terminal emulator to have any real problems.
Its for this reason the Security Response Team rates this as low. But in terms
of audit, you don't want a file path to suddenly change to black on black text
so that you can't see the full path.
-Steve
More information about the Linux-audit
mailing list