lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <c8b7ecb8508895bf4adb62a748e2ea2c71854597.camel@bonedaddy.net>
Date:   Tue, 19 Mar 2019 14:06:27 +0800
From:   Paul Wise <pabs3@...edaddy.net>
To:     Alexander Viro <viro@...iv.linux.org.uk>,
        linux-fsdevel@...r.kernel.org,
        linux-kernel <linux-kernel@...r.kernel.org>
Cc:     Jakub Wilk <jwilk@...lk.net>
Subject: PROBLEM: Linux kernel.core_pattern with pipes does argument
 splitting after template expansion

The Linux kernel.core_pattern support for core dump handlers using the
pipe syntax does argument splitting after template expansion.

At minimum this bug could cause truncated values for the executable
name. This also means that the argument parsing for core dump handlers
is slightly more complicated because they have to deal with the fact
that an attacker that can control the executable name via %E and %e
could pass additional arguments, including command-line options, to the
handler. Usually this is easy to deal with by merging the remaining
arguments after an options termination indicator but it is very
unlikely that core dump handler implementers are aware of the issue.

Theoretically hostnames with %h could also be split up but in practice
they do not appear to be allowed to contain spaces.

Steps to reproduce:

   $ cat foo 
   #!/bin/sh
   printf "%s~" "$@" >> /var/log/core
   echo >> /var/log/core

   $ chmod a+rx foo

   $ sudo sysctl kernel.core_pattern="|`pwd`/foo %E"
   kernel.core_pattern = |/home/pabs/foo %E

   $ cp /bin/sleep 'sleep with spaces'

   $ ./sleep\ with\ spaces 55555 &
   [1] 16041

   $ kill -SEGV %1
   [1]+  Segmentation fault      (core dumped) ./sleep\ with\ spaces 55555

Incorrect results:

   $ cat /var/log/core
   !home!pabs!sleep~with~spaces~

Correct results:

   $ cat /var/log/core
   !home!pabs!sleep with spaces~

This was originally reported by Jakub Wilk <jwilk@...lk.net>:
<20190312145043.jxjoj66kqssptolr@...lk.net>
https://bugs.debian.org/924398

-- 
bye,
pabs

https://bonedaddy.net/pabs3/

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ