Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 22 Dec 2022 10:04:48 -0500
From: Shawn Webb <shawn.webb@...denedbsd.org>
To: oss-security@...ts.openwall.com
Subject: Re: [Linux] /proc/pid/stat parsing bugs

On Thu, Dec 22, 2022 at 03:44:45PM +0100, Jakub Wilk wrote:
> sudo was bitten by this back in the day (CVE-2017-1000367):
> https://www.openwall.com/lists/oss-security/2017/05/30/16

I remember performing local privesc's against poorly-written cronjobs
that ran as root and parsed things in procfs. One bug was in a C
application that had a format string bug when parsing data from
procfs data.

Something akin to this (in C-like pseudo code):

```
fp = fopen("/some/logfile/here", "w+");
procfs_fp = fopen("/proc/pid/something")
fprintf(fp, something_read_from_procfs_fp);
```

Name your application "%n" or a shared object "%n" and you'll have a
fun time. (Of course, replace with actual format string exploit).

Process hollowing by abusing /proc/pid/maps and /proc/pid/mem was a
fun tactic back in the early 2000's.

We knew way back then the dangers of VFS-based wizardry. Did we lose
that knowledge somehow?

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.