Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 01 Jan 2019 13:52:38 +0000
From: halfdog <me@...fdog.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Asserts considered harmful (or GMP spills its sensitive information)

Simon McVittie writes:
> On Tue, 01 Jan 2019 at 12:07:17 +0100, Niels Möller wrote:
> ...
>
> Some processes (including those that are setuid or setgid,
> I think?) are automatically undumpable.

This is not true and depends on your "/proc/sys/fs/suid_dumpable"
settings, see [0]. Especially "2" was intended to capture cores
from SUIDs also, e.g. together with systemd-coredump.


To test your SUID-coredump behaviour, you can use NullExec.c
from below. It quite reliable segfaults many SUID binaries. The
argv -> env trickery is useful as some binaries (e.g. crontab)
overread the gap between argv/env on stack so start processing
environment variables as argvs, thus circumventing any IDS/IPS
depending on correct checking of execve()'s call arguments.

$ ./NullExec /bin/su

hd

[0] https://github.com/torvalds/linux/blob/master/Documentation/sysctl/fs.txt

$ cat NullExec.c 
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
  if(argc<2) {
    fprintf(stderr, "Usage: %s [progname] [envvars...]\n");
    return(1);
  }
  execve(argv[1], NULL, argv+2);
  return(1);
}


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.