Re: Re: Problems in automatic crash analysis frameworks

[Tavis Ormandy <taviso () google com>]

On Wed, Apr 15, 2015 at 1:44 PM, Tavis Ormandy <taviso () google com> wrote:
> On Wed, Apr 15, 2015 at 2:45 AM, Jakub Filak <jfilak () redhat com> wrote:
> > Hello,
> >
> > I have a question regarding the ABRT vulnerabilities. I don't particularly understand how an attacker can use 
> > /proc/pid/exe symlink to force ABRT to read an arbitrary file if the symlink cannot be changed and kernel refuses to 
> > create the process if the symlink's target is not executable.
> >
> > > This code trusts the /proc/pid/exe symlink, even though it is possible
> > > to link it anywhere you want.
> > >
> > > https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368
> > >
> > >        sprintf(buf, "/proc/%lu/exe", (long)pid);
> > >        int src_fd_binary = open(buf, O_RDONLY); /* might fail and
> > >                                                    return -1, it's ok */
> >
> > Thank you for clarifying this for me.
>
> My description was incorrect, It can't be an arbitrary file, just a
> file you have execute but not read permission.
>
> Tavis.

Apparently I'm wrong again, spender points out it may still be possible.

https://twitter.com/grsecurity/status/588459661805817858

Tavis.