Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Apr 2019 14:12:36 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: no permission check during open() time of
 /proc/[pid]/maps in kernels < 3.18

Hello,

I stumbled over a leak of memory mappings for arbitrary processes in
kernels older than version 3.18.

As it turns out the permissions check for the pseudo file in
/proc/[pid]/maps in affected kernels is performed not during open() time
but during read() time. This allows an unprivileged user to open a valid
file descriptor for these maps files and pass it to privileged programs
like setuid root binaries or D-Bus services running as root that support
file descriptor passing in their interface.

The privileged program needs behave in a way that the passed file
descriptor is read() with root premissions and the content is passed
back to the unprivileged user in some way.

For example the opiesu program from OPIE [1], if installed setuid root,
provides the necessary features to read arbitrary /proc/[pid]/maps files
as an unprivileged user. It reads only one line from the user's stdin
and outputs it again on stdout. By repeatedly performing this operation
the complete maps file content can be obtained. This is a quick PoC bash
script to exploit this to obtain the maps contents of PID 1:

```
exec 3</proc/1/maps
while true; do
    OUT=`/usr/bin/opiesu <&3 2>/dev/null | grep response | cut -d ' ' -f 3-`
    echo "$OUT"
    [ -z "$OUT" ] && break
done
```

The issue was fixed in the kernel via commit [2]. I don't think this
ever got a CVE or a security note. As a result on systems running an
affected kernel hardenings like ASLR aren't effective against local
users.

[1]: https://en.wikipedia.org/wiki/OPIE_Authentication_System
[2]: https://github.com/torvalds/linux/commit/29a40ace841cba9b661711f042d1821cdc4ad47c

Best regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.