Profile picture
Darkarnium
@Darkarnium
, 11 tweets, 4 min read Read on Twitter
So, the #Alpine Linux #Docker root password issue (CVE-2019-5021) has been interesting to follow over the last few days. This is a security regression I reported earlier this year which resulted in this CVE. So, why “interesting”? (1/11)
Between posts of "this seems bad", "this isn't a vulnerability" - and a handful of rather colourful personal attacks for good measure - the impact of this issue seems to have been muddied leaving some questions as to potential impact. (2/11)
The major caveat, from my perspective, is that successful exploitation requires a specific configuration and is not exploitable on an “out of the box” Alpine image: The vulnerability exists, but there are no mechanisms to trigger it. (3/11)
Alpine symlinks 'su', 'login', and friends to a multicall binary (busybox) by default which is NOT suid root. In addition the image lacks PAM, and has no network services installed. Effectively, as shipped, it’s not exploitable. (4/11)
As a result, the likelihood of exploitation for this issue seems to be low as it requires a configuration which seems potentially uncommon. That said, there are a number of cases where successful exploitation can be demonstrated: (5/11)
Earlier yesterday @ropnop demonstrated a quick PoC of how this can occur through installation of the ‘shadow’ package and creation of a new user: (6/11).
Another avenue is the installation of a package which uses PAM as an authentication backend. One example of this is ‘vsftpd’ which is in the default Alpine repository and which also pulls in ‘linux-pam’ when installed. (7/11)
In this example, ‘/etc/vsftpd/vsftpd.conf’ was updated were to disable anonymous access, and uncommented ‘local_enable=YES’ to use the local authentication database - as we added a local user for ourselves to use (‘example’). (8/11)
With this said, these are contrived examples. However, what are base images for if not the extension by a consumer? A blank slate onto which new binaries, users, and other strata are laid in order to build out a required system. (9/11)
Accidental misconfiguration is possible, as is installation of other vulnerable packages, but the addition of a package to expose a well configured service should not result in a bonus root login for anyone that asks, either. (10/11)
...Of course, these thoughts and opinions are mine, and mine alone :) (11/11)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Darkarnium
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#Alpine #Docker

Related threads

Profile picture
Jay Rosen
@jayrosen_nyu
Over the last few days, it's become clearer and clearer to me that, without intervention, coverage of the 2020 campaign is likely to be a disaster for everyone except Trump and his core voters, who want to watch it all burn anyway. In this thread I describe the danger I see. 1/
By "disaster for everyone," I mean all candidates opposing Trump, journalists themselves, voters from all sides (except those who have exited from the news system by merging with his hate campaign against the news media) and anyone who seeks the repair of American democracy. 2/
Start with the simple fact of inertia. In ruins after the debacle of 2016, the horse race model and "game" schema that have instructed campaign journalism for at least 40 years are up and running again. It appears the bosses have no better ideas, and no will to develop them. 3/
Read 26 tweets
Profile picture
Abdulla Saad
@KarakMufti
Over the last few days, I've seen a lot of people attacking @Hafsa_Khawaja for her tweets about white people in Pakistan. I am in total agreement and am writing this thread to explain 1. Why she's right and 2. How foreigners should behave in Pakistan.
I'll raise my hands up and say that I experienced some of the best hospitality in the world during my time as a foreigner in Pakistan, and I am indebted to everyone who has shown that to me. I do know that Pakistanis can be incredibly kind and hospitable beyond belief.
However, why was this kind of hospitality extended to me and not to others? I met many foreigners when I was in Pakistan. It seems that some are worthy of the friendliness (Arabs, Chinese, and most of all, goras) and some are not (Afghans, Somalis, etc.).
Read 19 tweets
Profile picture
Christophe Barraud🛢
@C_Barraud
🇨🇳 #CHINA Q3 GDP Y/Y: 6.5% V 6.6%E (slowest growth since Q1 2009)
*NBS spokesman Mao Shengyong said that the international situation was bringing “downward pressure” on China.
*Link: bloom.bg/2RVX1ZA
🇫🇷 🇪🇺 🇨🇳 French tire maker Michelin warned of declining sales in Europe and #China in the second half of the year, dragging down shares of its competitors in the U.S. and Europe - Bloomberg
*Statement: bit.ly/2EujhqH
🇺🇸🇨🇳🇪🇺 In a volley of filings, the EU, #China and the U.S. this week escalated disputes over new U.S. metals tariffs, the European response to those levies, and Chinese intellectual property practices - Bloomberg
bloomberg.com/news/articles/…
Read 634 tweets
Profile picture
Sara Gibbs
@Sara_Rose_G
Over the last few days, some Jewish organisations & activists have responded to the Warsaw Ghetto graffiti in ways I have found troubling 1/
The statements have gone along the lines of (paraphrasing) ‘we get how upset you are about Israel & we agree, but this isn’t the way to go about it’. 2/
My issue with this is (please excuse the poor analogy, I’m not comparing Israel & ISIS but there’s no apt analogy) imagine if someone had graffitied ‘fuck ISIS’ at the site of a massacre of Muslims. 3/
Read 15 tweets
Profile picture
Popbitch
@popbitch
Last year, we ran a four-part series on the fascinating history of the National Enquirer, its parent company American Media, Inc. and its ties to the Trump administration. In light of the news over the last few days, we thought we'd do a quick primer...
The history of the National Enquirer cover sixty years of American history – touching on the New York Mafia, the DC corridors of power, the tabloid industry of Florida, newspaper strikes, commie witch-hunts, Soviet espionage and much, much more... popbitch.com/2017/10/the-un…
The key players in the early years (1950s-80s) are:
– Generoso Pope Jr, the founding editor and son of a New York media magnate
– Frank Costello, the head of the New York mafia in the 40s/50s
– Roy Cohn, the shadiest motherfucker to ever earn a law degree
Read 56 tweets
Profile picture
Amit Julka
@amitjulka
Over the last few days, have noticed a lot of twitter people discussing why Indian engineers/MBA types tend to mostly swing rightwards. Also, does the inclusion of a few humanities courses make a difference? Read on.
1) People have already covered the usual explanations - male, upper caste, the god complex that accompanies securing an admission. All solid points, but that doesn't account for the fact that the phenomenon often goes beyond savarna males
2) I think the question is one of basic worldview, and the assumption that the social world mirrors the 'natural world' (which in turn is also erroneously presumed to be newtonian and deterministic, with 'iron clad' laws)
Read 14 tweets

Trending hashtags

#MakeAmericaSafeAgain #KAG2020 #MAGA #quarterbacked #email #Ratlines #NeverForget #Things #Posterity #VAGov #bitcoin #Clues #Racist #MOMs #Selfie #REPLY #ThisIsPasco #BradyBunch #cryptocurrency #SMEARS #YES #cliche #smeard #alone #CAKE
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!