Date: Thu, 22 Dec 2022 10:04:48 -0500 From: Shawn Webb <shawn.webb@...denedbsd.org> To: oss-security@...ts.openwall.com Subject: Re: [Linux] /proc/pid/stat parsing bugs On Thu, Dec 22, 2022 at 03:44:45PM +0100, Jakub Wilk wrote: > sudo was bitten by this back in the day (CVE-2017-1000367): > https://www.openwall.com/lists/oss-security/2017/05/30/16 I remember performing local privesc's against poorly-written cronjobs that ran as root and parsed things in procfs. One bug was in a C application that had a format string bug when parsing data from procfs data. Something akin to this (in C-like pseudo code): ``` fp = fopen("/some/logfile/here", "w+"); procfs_fp = fopen("/proc/pid/something") fprintf(fp, something_read_from_procfs_fp); ``` Name your application "%n" or a shared object "%n" and you'll have a fun time. (Of course, replace with actual format string exploit). Process hollowing by abusing /proc/pid/maps and /proc/pid/mem was a fun tactic back in the early 2000's. We knew way back then the dangers of VFS-based wizardry. Did we lose that knowledge somehow? -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.