oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Problems in automatic crash analysis frameworks

From: Tavis Ormandy <taviso () google com>
Date: Wed, 15 Apr 2015 13:44:45 -0700
On Wed, Apr 15, 2015 at 2:45 AM, Jakub Filak <jfilak () redhat com> wrote:

Hello,

I have a question regarding the ABRT vulnerabilities. I don't particularly understand how an attacker can use 
/proc/pid/exe symlink to force ABRT to read an arbitrary file if the symlink cannot be changed and kernel refuses to 
create the process if the symlink's target is not executable.


This code trusts the /proc/pid/exe symlink, even though it is possible
to link it anywhere you want.

https://github.com/abrt/abrt/blob/master/src/hooks/abrt-hook-ccpp.c#L368

       sprintf(buf, "/proc/%lu/exe", (long)pid);
       int src_fd_binary = open(buf, O_RDONLY); /* might fail and
                                                   return -1, it's ok */


Thank you for clarifying this for me.



My description was incorrect, It can't be an arbitrary file, just a
file you have execute but not read permission.

Tavis.
Previous By Date Next
Previous By Thread Next

Current thread: