Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120208101258.GA2149@openwall.com>
Date: Wed, 8 Feb 2012 14:12:58 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access)

On Wed, Feb 08, 2012 at 06:59:48AM +0100, Jason A. Donenfeld wrote:
> Might be slightly offtopic,

On topic for this list (thank you for posting!), but not for the
original thread (I've changed the Subject, but kept the thread since
this is already in the thread).

> but this is a possible info leak of maps for a suid program:
> 
> $ cat maps.c
> #include <unistd.h>
> #include <fcntl.h>
> 
> int main(int argc, char **argv)
> {
> 
>         int fd = open("/proc/self/maps", O_RDONLY);
>         dup2(fd, 0);
>         execl("/usr/bin/chsh", "chsh", NULL);
>         return 0;
> }

Nice.  I guess the same works for /proc/self/mem as well, including with
lseek().  Using this for more than just an ASLR bypass may be tricky -
need to find a suitable program to abuse.  In fact, even the usefulness
of such an ASLR bypass is very limited since the invocation mode above
might not be the same as needed for another attack, and the address
space layout will change between the two execs.  (Not to mention that
ASLR is generally practical to bypass for local attacks anyway by simply
trying enough times, unless there's lockout.)

I guess it might be possible to get some implementation of chsh to print
an excerpt from /etc/shadow.  Luckily, on Owl we don't have chsh enabled
for non-root by default and we don't have a global /etc/shadow. ;-)

BTW, what version of chsh did you test this with and what behavior do
you observe?  I was not able to get anything useful in this way out of
Owl's chsh (once enabled for non-root) - it just asks for the password,
but somehow fails to read it if one is entered on the tty (perhaps
there's some inconsistency in use of the tty vs. fd 0).  I suppose I'd
need to get past successful authentication for chsh's input to be
treated as the new shell name, in which case it'd get printed out (such
as in an error message) or/and put in /etc/passwd.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.