lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 24 Oct 2009 19:05:35 +0100
From: Anton Ivanov <anton.ivanov@...-begemot.co.uk>
To: Dan Yefimov <dan@...htwave.net.ru>
Cc: Matthew Bergin <matt.bergin@...mail.com>,
	bugtraq@...urityfocus.com
Subject: Re: /proc filesystem allows bypassing directory
	permissions	on	Linux

On Sat, 2009-10-24 at 21:39 +0400, Dan Yefimov wrote:
> On 24.10.2009 20:59, Anton Ivanov wrote:
> >> Not to tell about
> >> that /proc/<PID>/fd/ contains only symbolic links, not files, so I can't
> >> understand, how the original reporter managed to gain access to the file in the
> >> restricted directory using that symlink.
> >
> > The perms are definitely broken and without a code audit on procfs I
> > would not bet that this is limited just to this rather obscure test
> > case.
> >
> > To be honest, I hope that it is limited to this rather obscure test
> > case. If it is not there may be entertaining ramifications.
> >
> Given my citation above (I personally use Linux), that obscure test case looks 
> doubtful. If the original reporter uses some patched kernel, that doesn't matter 
> others.

It works on Debian 2.6.26 out of the box. It is not an obscure patched
kernel case I am afraid. 

If you redir an FD to a file using thus redir-ed FD in /proc allows you
to bypass directory permissions for where the file is located.
Thankfully, file permissions still apply so you need an app which has
silly file perms in a bolted down directory for this.

Symlinking the same file to a link on a normal ext3 or nfs filesystem as
a sanity check shows correct permission behaviour. If you try to write
to that symlink you get permission denied so the permissions on the fs
actually work.

No need to be root, nothing. It is not a case of "forget to drop EID or
something else like that either". It looks like what it says on the tin
- permission bypass. 

Not that I would have expected anything different considering who posted
it in the first place.

-- 
   Understanding is a three-edged sword:
            your side, their side, and the truth. --Kosh Naranek

A. R. Ivanov
E-mail:  anton.ivanov@...-begemot.co.uk
WWW:     http://www.kot-begemot.co.uk/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ