oss-sec mailing list archives
Re: Problems in automatic crash analysis frameworks
From: Jakub Filak <jfilak () redhat com>
Date: Wed, 15 Apr 2015 05:45:44 -0400 (EDT)
Hello, I have a question regarding the ABRT vulnerabilities. I don't particularly understand how an attacker can use /proc/pid/exe symlink to force ABRT to read an arbitrary file if the symlink cannot be changed and kernel refuses to create the process if the symlink's target is not executable.
This code trusts the /proc/pid/exe symlink, even though it is possible to link it anywhere you want. https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368 sprintf(buf, "/proc/%lu/exe", (long)pid); int src_fd_binary = open(buf, O_RDONLY); /* might fail and return -1, it's ok */
Thank you for clarifying this for me. Kind regards, Jakub
Current thread:
- Re: Problems in automatic crash analysis frameworks, (continued)
- Re: Problems in automatic crash analysis frameworks cve-assign (Apr 16)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (Apr 17)
- Re: Problems in automatic crash analysis frameworks Grandma Eubanks (Apr 17)
- Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 17)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 17)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (Apr 23)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (May 05)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (May 05)
- Re: Problems in automatic crash analysis frameworks Florian Weimer (May 05)
- Re: Problems in automatic crash analysis frameworks Tavis Ormandy (May 05)
- Re: Problems in automatic crash analysis frameworks Grandma Eubanks (Apr 17)
- Re: Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 15)
- Re: Re: Problems in automatic crash analysis frameworks Tavis Ormandy (Apr 15)