Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Proc filesystem and SUID-Binaries
From: halfdog <me () halfdog net>
Date: Sat, 22 Jan 2011 07:39:22 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In my reply to FD-post "GNU libc/regcomp(3) Multiple Vulnerabilities" I
indicated, that I found and reported the same bug while searching for
resource starvation bugs two years ago. So I dug out the programs from
back than to test suid binaries on recent linux distro and kernel. While
it is still possible to trigger quite a few different flaws, none of
them is quite interesting enough to investigate (mostly NULL and -1
derefs). But I got a minor but funny fault:

When executing a process as normal user, one can open /proc/[pid]/
entries and keep them open, even after executing a suid binary. Thus it
is possible e.g. to
* Find stack base even with stack randomization
* Modify oom_adj and kill the suid-binary with SIGKILL
* Modify the coredump filter
* Read limits

Damn it, that /proc/self/mem is not rw

See http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/


Apart from that, ping6 contains a trivial buffer overflow using the size
parameter (>128000), but I think it is not exploitable to gain root
privileges.

See http://www.halfdog.net/Security/2011/Ping6BufferOverflow/

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFNOom3xFmThv7tq+4RAjYgAKCC/jMjYGQXGGdaf0ThCxbX5Ru+rwCdGby2
AI+Av64ClCQSYLREKmcJM2w=
=VPrq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Proc filesystem and SUID-Binaries halfdog (Jan 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]