Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Proc filesystem and SUID-Binaries
From: halfdog <me () halfdog net>
Date: Sat, 22 Jan 2011 07:39:22 +0000

Hash: SHA1

In my reply to FD-post "GNU libc/regcomp(3) Multiple Vulnerabilities" I
indicated, that I found and reported the same bug while searching for
resource starvation bugs two years ago. So I dug out the programs from
back than to test suid binaries on recent linux distro and kernel. While
it is still possible to trigger quite a few different flaws, none of
them is quite interesting enough to investigate (mostly NULL and -1
derefs). But I got a minor but funny fault:

When executing a process as normal user, one can open /proc/[pid]/
entries and keep them open, even after executing a suid binary. Thus it
is possible e.g. to
* Find stack base even with stack randomization
* Modify oom_adj and kill the suid-binary with SIGKILL
* Modify the coredump filter
* Read limits

Damn it, that /proc/self/mem is not rw

See http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/

Apart from that, ping6 contains a trivial buffer overflow using the size
parameter (>128000), but I think it is not exploitable to gain root

See http://www.halfdog.net/Security/2011/Ping6BufferOverflow/

- -- 
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
Version: GnuPG v1.4.6 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Proc filesystem and SUID-Binaries halfdog (Jan 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]