| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Jul 2010 21:35:50 +0200
From: Frank Heckenbach <f.heckenbach@...soft.de>
To: linux-kernel@...r.kernel.org
Subject: procfs gives read/write access to RO/WO
pipes
Using /proc/*/fd, you can get read/write access to a pipe that you
have read-only or write-only access to. The program below
demonstrates this. It reads and writes through the "0" fd.
Tested with 2.6.34, i686.
At first sight, it doesn't look too serious if a program can write
to its own readable pipe, or read from its writeable pipe, but
perhaps I'm just not creative enough to see an exploit. Also, I
don't know it it might affect other file types where it might be a
real problem. At least, it does seem to violate the permissions.
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
int main ()
{
char a, n[64];
int p[2], f, r;
pipe (p);
sprintf (n, "/proc/self/fd/%i", p[0]);
f = open (n, O_RDWR);
write (f, "x", 1);
r = read (f, &a, 1);
fprintf (stderr, "%i %c\n", r, a);
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists