oss-sec mailing list archives
Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access)
From: Djalal Harouni <tixxdz () opendz org>
Date: Thu, 9 Feb 2012 09:24:36 +0100
On Thu, Feb 09, 2012 at 10:55:23AM +0400, Solar Designer wrote:
On Thu, Feb 09, 2012 at 03:31:34AM +0100, Jason A. Donenfeld wrote:On Wed, Feb 8, 2012 at 11:12, Solar Designer <solar () openwall com> wrote:BTW, what version of chsh did you test this with and what behavior do you observe? I was not able to get anything useful in this way out of Owl's chsh (once enabled for non-root) - it just asks for the password, but somehow fails to read it if one is entered on the tty (perhaps there's some inconsistency in use of the tty vs. fd 0). I suppose I'd need to get past successful authentication for chsh's input to be treated as the new shell name, in which case it'd get printed out (such as in an error message) or/and put in /etc/passwd.zx2c4@ZX2C4-Laptop ~/Projects/Ploits/Local/CVE-2012-0056 $ gcc maps.c zx2c4@ZX2C4-Laptop ~/Projects/Ploits/Local/CVE-2012-0056 $ ./a.out Changing the login shell for zx2c4 Enter the new value, or press ENTER for the default Login Shell [/bin/bash]: chsh: Invalid entry: 00400000-00408000 r-xp 00000000 fd:00 1444794 /usr/bin/chshHmm. It does not even ask you for the password. Perhaps you have CHFN_AUTH in /etc/login.defs set to "no" or not set at all? (On Owl, it's "yes".)
Yes it seems that it does not require a password, and this is an arbitrary /proc/<pid>/ info leak (at least for some of the files), I've also experienced this. In this case the config of /usr/bin/chsh will help, since we avoid the lseek() which will fail on arbitrary files.
Alexander
-- tixxdz http://opendz.org
Current thread:
- CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access Solar Designer (Feb 05)
- Re: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access Jason A. Donenfeld (Feb 07)
- Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Djalal Harouni (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Jason A. Donenfeld (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Jason A. Donenfeld (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Jason A. Donenfeld (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Djalal Harouni (Feb 09)
- Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access) Solar Designer (Feb 08)
- Re: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access Jason A. Donenfeld (Feb 07)