Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Feb 2012 10:55:23 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux procfs infoleaks via self-read by a SUID/SGID program (was: CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access)

On Thu, Feb 09, 2012 at 03:31:34AM +0100, Jason A. Donenfeld wrote:
> On Wed, Feb 8, 2012 at 11:12, Solar Designer <solar@...nwall.com> wrote:
> > BTW, what version of chsh did you test this with and what behavior do
> > you observe?  I was not able to get anything useful in this way out of
> > Owl's chsh (once enabled for non-root) - it just asks for the password,
> > but somehow fails to read it if one is entered on the tty (perhaps
> > there's some inconsistency in use of the tty vs. fd 0).  I suppose I'd
> > need to get past successful authentication for chsh's input to be
> > treated as the new shell name, in which case it'd get printed out (such
> > as in an error message) or/and put in /etc/passwd.
> 
> zx2c4@...C4-Laptop ~/Projects/Ploits/Local/CVE-2012-0056 $ gcc maps.c
> zx2c4@...C4-Laptop ~/Projects/Ploits/Local/CVE-2012-0056 $ ./a.out
> Changing the login shell for zx2c4
> Enter the new value, or press ENTER for the default
>         Login Shell [/bin/bash]: chsh: Invalid entry:
> 00400000-00408000 r-xp 00000000 fd:00 1444794
>   /usr/bin/chsh

Hmm.  It does not even ask you for the password.  Perhaps you have
CHFN_AUTH in /etc/login.defs set to "no" or not set at all?  (On Owl,
it's "yes".)

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.