Home page logo

oss-sec logo oss-sec mailing list archives

Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access)
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Thu, 9 Feb 2012 03:31:34 +0100

On Wed, Feb 8, 2012 at 11:12, Solar Designer <solar () openwall com> wrote:
BTW, what version of chsh did you test this with and what behavior do
you observe?  I was not able to get anything useful in this way out of
Owl's chsh (once enabled for non-root) - it just asks for the password,
but somehow fails to read it if one is entered on the tty (perhaps
there's some inconsistency in use of the tty vs. fd 0).  I suppose I'd
need to get past successful authentication for chsh's input to be
treated as the new shell name, in which case it'd get printed out (such
as in an error message) or/and put in /etc/passwd.

zx2c4 () ZX2C4-Laptop ~/Projects/Ploits/Local/CVE-2012-0056 $ gcc maps.c
zx2c4 () ZX2C4-Laptop ~/Projects/Ploits/Local/CVE-2012-0056 $ ./a.out
Changing the login shell for zx2c4
Enter the new value, or press ENTER for the default
        Login Shell [/bin/bash]: chsh: Invalid entry:
00400000-00408000 r-xp 00000000 fd:00 1444794

It's possible to use lseek to read the entire file in 1 go though.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]