Impact
A user with local access to a server running WhiteBeam can bypass whitelisting functionality
Patches
This vulnerability was patched in WhiteBeam 0.2.2
Workarounds
N/A
References
The fopen/fopen64/truncate hooks (included in the Essential whitelist) allow a file to be truncated in the OpenFileDescriptor action prior to the VerifyCanWrite action. This allows arbitrary files to be truncated with sufficient privileges on Linux, including WhiteBeam startup files.
Further, the FORTIFY_SOURCE variants of libc functions, truncate64, and ftruncate64 may allow similar bypasses to be possible.
Special thanks to security researcher Lesley De Keyser for identifying this issue.
For more information
If you have any questions or comments about this advisory:
lesleyxyz Analyst
Impact
A user with local access to a server running WhiteBeam can bypass whitelisting functionality
Patches
This vulnerability was patched in WhiteBeam 0.2.2
Workarounds
N/A
References
The fopen/fopen64/truncate hooks (included in the Essential whitelist) allow a file to be truncated in the OpenFileDescriptor action prior to the VerifyCanWrite action. This allows arbitrary files to be truncated with sufficient privileges on Linux, including WhiteBeam startup files.
Further, the FORTIFY_SOURCE variants of libc functions, truncate64, and ftruncate64 may allow similar bypasses to be possible.
Special thanks to security researcher Lesley De Keyser for identifying this issue.
For more information
If you have any questions or comments about this advisory: