Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Jul 2014 19:15:32 -0700
From: Tavis Ormandy <taviso@...xchg8b.com>
To: oss-security@...ts.openwall.com
Subject: Re: glibc locale issues

Tavis Ormandy <taviso@...xchg8b.com> wrote:

> I just remembered another charset issues I had looked into but abandoned.
> 
> First of all, I think the need_so logic in gconv_trans is broken, but even
> if it worked there is an off by one error in __gconv_translit_find() (it
> does + 3 instead of + 3 + 1 in the allocation.

To be clear, I suspect this is exploitable. It would be nice if you could
modify the buffer such that gconv will open a path with a string you've
appended it (e.g. CHARSET=//. pkexec ./../../../../tmp/foo.so), if not maybe
the one byte overflow is still exploitable. You have a reasonable amount of
control, e.g. CHARSET=//AAAAA pkexec $(perl -e 'print "A" x 125'

Tavis.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ