oss-sec mailing list archives
Re: Re: Problems in automatic crash analysis frameworks
From: Tavis Ormandy <taviso () google com>
Date: Wed, 15 Apr 2015 15:14:33 -0700
On Wed, Apr 15, 2015 at 1:44 PM, Tavis Ormandy <taviso () google com> wrote:
On Wed, Apr 15, 2015 at 2:45 AM, Jakub Filak <jfilak () redhat com> wrote:Hello, I have a question regarding the ABRT vulnerabilities. I don't particularly understand how an attacker can use /proc/pid/exe symlink to force ABRT to read an arbitrary file if the symlink cannot be changed and kernel refuses to create the process if the symlink's target is not executable.This code trusts the /proc/pid/exe symlink, even though it is possible to link it anywhere you want. https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368 sprintf(buf, "/proc/%lu/exe", (long)pid); int src_fd_binary = open(buf, O_RDONLY); /* might fail and return -1, it's ok */Thank you for clarifying this for me.My description was incorrect, It can't be an arbitrary file, just a file you have execute but not read permission. Tavis.
Apparently I'm wrong again, spender points out it may still be possible. https://twitter.com/grsecurity/status/588459661805817858 Tavis.
Current thread:
- Re: Problems in automatic crash analysis frameworks, (continued)
- Re: Problems in automatic crash analysis frameworks Grandma Eubanks (Apr 17)
- Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 17)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 17)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (Apr 23)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (May 05)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (May 05)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (May 05)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (May 05)
- Re: Problems in automatic crash analysis frameworks Grandma Eubanks (Apr 17)
- Re: Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 15)
- Re: Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 15)