oss-sec mailing list archives
Re: [PATCH] implement privmode support in dash
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Thu, 22 Aug 2013 17:24:54 -0700
Simon McVittie <smcv () debian org> wrote:
On 22/08/13 18:59, Tavis Ormandy wrote:For example, here is one I just found in vmware-tools that manages to call popen("lsb_release") with effective uid zero: $ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount # whoami rootHaving (da)sh drop privileges is a useful bit of hardening, but it doesn't help you if the vulnerable executable does a fork-and-exec without using the shell (at least with one of the exec variants that respects $PATH, like execvp), or some more friendly wrapper around fork-and-exec like posix_spawnp() or GLib's g_spawn family of functions.
Sure, but we shouldn't let the perfect be the enemy of the good. -fstack-protector doesn't magically make anything safe, but it's still a useful mitigation tool that we would be worse off without. We can't produce a patch that makes every crazy thing someone might want to do while setuid safe, but this is a common pattern that Debian-derived distributions lag behind on. I guarantee it will save you a few CVE's over the next few years :) Tavis. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred -------------------------------------------------------
Current thread:
- [PATCH] implement privmode support in dash Tavis Ormandy (Aug 22)
- Re: [PATCH] implement privmode support in dash Simon McVittie (Aug 22)
- Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 23)
- Re: [PATCH] implement privmode support in dash Ludwig Nussel (Aug 23)
- Re: [PATCH] implement privmode support in dash Harald van Dijk (Aug 22)
- Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 22)
- Re: [PATCH] implement privmode support in dash Jilles Tjoelker (Aug 22)
- Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 22)
- Re: [PATCH] implement privmode support in dash Jérémie Courrèges-Anglas (Aug 23)
- Re: [PATCH] implement privmode support in dash Jérémie Courrèges-Anglas (Aug 23)
- Re: [PATCH] implement privmode support in dash Roy (Aug 23)
- Re: [PATCH] implement privmode support in dash Simon McVittie (Aug 22)
- Re: [PATCH] implement privmode support in dash Seth Arnold (Aug 22)