[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Beware of dangerous enviroment (Re: Overflows in minicom)

From: Pavel Kankovsky <peak kerberos troja mff cuni cz>
To: drepper gnu org, bug-glibc gnu org, hjl gnu org, linux-security redhat com
Subject: Beware of dangerous enviroment (Re: Overflows in minicom)
Date: Tue, 19 May 1998 16:26:50 +0200 (MET DST)

On Tue, 12 May 1998, Andi Kleen wrote on BUGTRAQ:

> I assumed the libc would ignore NLSPATH when the app runs suid (similar
> like it does with LD_LIBRARY_PATH etc.). If it doesn't that is a bad bug.
> 
> [... clickety click ... ]
> 
> At least glibc 2.1 uses __secure_getenv() for NLSPATH. Don't know about 2.0,
> separate GNU gettext, or libc5.


I have browsed various versions of libc and found a handful of weak points
where the value of an enviroment variable is trusted more than necessary.

Variable		Impact

NLSPATH			can read arbitrary file
LANGUAGE, LANG, LC_*	dtto (if the value starts with a sufficient
			number of "../")
TZ			dtto (../)
LD_PROFILE_OUTPUT	can overwrite arbitrary file (not verified)


Quite a lot of harm can be caused even with read-only access.
Think of getting read access to /dev/*, esp. /dev/mem and /dev/port 
(welcome to the world of PC hardware <g>), /proc/kmsg or /proc/*/fd/*.


Affected versions chart

Ver./Var.     NLSPATH   LANGUAGE, LANG, LC_*    TZ    LD_PROFILE_OUTPUT

libc 5.4.44	yes		yes(0)		yes		no
glibc 2.0.7	no(1)		yes		no(2)		no
glibc pre2.1	no(1)		yes		no(2)		yes(3)
(snapshot 980301)
Solaris 2.5(4)	yes		no		yes		maybe
(with 103187-35)

(0) not LANGUAGE because libc5 has not gettext built in
(1) __secure_getenv()
(2) supressed in __tzfile_read() when __libc_secure_enable is on
(3) not verified
(4) just curious (private Q: does anyone know how one should report
    such problems to Sun?)


Example of "exploitation"

$ mkfifo /tmp/LC_MESSAGES
$ LANG=../../../../tmp xterm &
$ ps l
 FLAGS   UID   PID  PPID PRI  NI   SIZE   RSS WCHAN       STA TTY TIME
COMMAND
   100   555 17293 17291  14   0   1200   804 wait4       S   p2  0:00 -bash 
100000   555 17347 17293  10   0   2384  1208 fifo_open   S   p2  0:00 xterm
100000   555 17348 17293  17   0    920   500             R   p2  0:00 ps l

Apparently, xterm attempted to open /tmp/LC_MESSAGES.
(Oh yes, xterm is setuid and owned by root.)


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]

Follow-Ups:
- Re: Beware of dangerous enviroment (Re: Overflows in minicom)
  - From: Ulrich Drepper

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]