Bugtraq mailing list archives
Re: Solaris priocntl exploit
From: Jay Beale <jay () bastille-linux org>
Date: Mon, 2 Dec 2002 08:45:38 -0800
but unfortunately, priocntl() never check '../' in pc_clname arg we can use '../../../tmp/module' to make priocntl() load a module from anywhere
You've got to love when this kind of classic mistake happens in a system call! I latched onto this one simply because it's the same poor input validation/permissions check that happens in my favorite old privilege escalator, userhelper. ( http://online.securityfocus.com/bid/913 ) This always gets classified as bad input validation. Is the right answer really to check for ../ 's or to canonicalize the filename argument and check ownerships and permissions on the file and parent directories? - Jay
Current thread:
- Re: Solaris priocntl exploit Jay Beale (Dec 02)
- Re: Solaris priocntl exploit Pavel Kankovsky (Dec 23)