[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Proc filesystem and SUID-Binaries
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Proc filesystem and SUID-Binaries
- From: halfdog <me@xxxxxxxxxxx>
- Date: Sat, 22 Jan 2011 07:39:22 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In my reply to FD-post "GNU libc/regcomp(3) Multiple Vulnerabilities" I
indicated, that I found and reported the same bug while searching for
resource starvation bugs two years ago. So I dug out the programs from
back than to test suid binaries on recent linux distro and kernel. While
it is still possible to trigger quite a few different flaws, none of
them is quite interesting enough to investigate (mostly NULL and -1
derefs). But I got a minor but funny fault:
When executing a process as normal user, one can open /proc/[pid]/
entries and keep them open, even after executing a suid binary. Thus it
is possible e.g. to
* Find stack base even with stack randomization
* Modify oom_adj and kill the suid-binary with SIGKILL
* Modify the coredump filter
* Read limits
Damn it, that /proc/self/mem is not rw
See http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/
Apart from that, ping6 contains a trivial buffer overflow using the size
parameter (>128000), but I think it is not exploitable to gain root
privileges.
See http://www.halfdog.net/Security/2011/Ping6BufferOverflow/
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFNOom3xFmThv7tq+4RAjYgAKCC/jMjYGQXGGdaf0ThCxbX5Ru+rwCdGby2
AI+Av64ClCQSYLREKmcJM2w=
=VPrq
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/