[1112] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Environment Variables (Was Re: [linux-security] Re: RESOLV_HOST_CONF )

daemon@ATHENA.MIT.EDU (Mark Whitis)
Thu Aug 29 19:26:54 1996

Date: Thu, 29 Aug 1996 00:35:00 -0400 (EDT)
From: Mark Whitis <whitis@dbd.com>
To: Daniel Bromberg <ddaniel@furlong.jpl.nasa.gov>
cc: Joshua Cowan <jcowan@jcowan.reslife.okstate.edu>,
        linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199608260046.RAA04384@furlong.jpl.nasa.gov>

On Sun, 25 Aug 1996, Daniel Bromberg wrote:

> I propose a blanket solution: have the kernel manipulate the
> environment passed to the setuid program in a safe manner. Thus only
> pass through a few, if any, env variables to any setuid program,
> statically linked or not. (Off the top of my head, all I think one
> needs is USER, HOME, possibly HOSTALIASES).  Given the splitvt type of
> attack, we'd also need to 'clean up' the ones we do pass through, by
> removing non-printable content and limiting the length. There is more
> configuration needed: so there could be some file like
> /etc/default/root.env which contains the environment that the sysadmin
> deems adequate for proper operation of all setuid programs. (like
> PATH, HOSTNAME, etc.) Such a file could also specify which user's env
> variables were safe to pass through.

Last time I looked at possibilities for exploits of environment variables
on setuid programs (or via telnetd), I came to the conclusion that
virtually all environment variables, even the "safe" (and sometimes
necessary) ones, were potentially exploitable.  As for your list
of ones to pass through unchanged, they do not appear even marginally
safe.   USER & HOME: a setuid program (and any programs it calls)
should not need them; if they do, they shouldn't be trusted.
If a program needs these, they should be regenerated from reliable
sources.  HOSTALIASES (and any other variable which affects DNS
lookup

Here is the beginings of a catalog of common environment variables
and a little about their potential exploitability.  I started
with a printenv on an almost strait out of the box RedHat 3.0.3
system and added a few from memory.

RESOLV_HOST_CONF  - Can be (ab)used to read any file on the system (resolver
                    libraries echo file if there is an error in it), crash
                    system by reading /dev/kmem, or to spoof name lookups.
 
ENV               - Well known exploits
USERNAME          - Any setuid program that needs this info had better
                    get it from someplace trustworthy
HISTSIZE          - Don't know.  Really large values or negative or zero
                    values might conceivably do domething strange to child
                    processes invoked by a setuid program
HOSTNAME          - Any setuid program that needs this info had better
                    get it from someplace trustworthy
LOGNAME           - see username
HISTFILESIZE      - Don't know.  Really large values or negative or zero
                    values might conceivably do domething strange to child
                    processes invoked by a setuid program
MAIL=/var/spool/mail/whitis
TERM              - Very Dangerous.  In addition to the TERMCAP problem,
                    csh is vulnerable to TERM - it EVALUATES it just like
                    bash evaluates ENV.  Other shells may also.
                    If TERM is allowed, it must be used in conjuction
                    with a list of acceptable values. 
                    Exploits:
                       - telnet/telnetd environment variable 'feature'
                       - older telnetd's still passed a terminal type even
                         if they dont let you set other environment 
                         variables.  So even telnetd's which have 
                         fixed the telnet environ bug may still
                         be vulnerable to attacks on csh based
                         captive accounts.
                       - setuid programs which use shell scripts,
                         call system, etc.
                       - On system Vish systems:
                            login: script-user TERM='`/bin/sh</dev/tty>&/dev/tty`'
                            password: ...
                            $
                       - login -p based exploits:
                             export TERM='evil'
                             login -p
                             login: blah
                             Password: ....
                             ...
                             echo $TERM
                             blah blah

TERMCAP           - Very Dangerous (termcap entries can specify the
                    execution of arbitrary programs).
HOSTTYPE=i386     - Sometimes used in generating PATH
PATH              - Very Dangerous
HOME              - Any setuid program that needs this info had better
                    get it from someplace trustworthy and be very careful
                    what it uses it for in the first place.  HOME points
                    to files created by an untrusted user.
SHELL             - No setuid programs or captive login scripts should
                    need this should they?  Obviously dangerous if used.
PS1               - Some buffer overrun attacks possible.  In general,
                    setuid programs and captive login programs should
                    not be starting interactive shells but this could
                    have unexpected consequences internally to the shell
                    as well as to .profile files.
USER              - See USERNAME
DISPLAY           - Allows you to connect to any TCP port over 6000 (and
                    sometimes under 6000 using negative numbers) although
                    you may not have a lot of control over the data stream.
                    A possible way to attack things inside a firewall
                    when combined with things like the telnetd bug.
OSTYPE=Linux      - See HOSTTYPE
SHLVL=1           - Unknown.  
TZ                - Affects time formatting functions.  Potential for
                    several types of attacks:
                      - Forging time (i.e. you can cause a transaction
                        to appear to have occurred at a different time)
                      - Buffer overrun attacks in any programs which
                        print time.
                      - punctuation based attacks
LANG,
LC_ALL,
LC_COLLATE,
LC_CTYPE,
LC_MONETARY,
LC_MESSAGES,
LC_NUMERIC,
LC_TIME            - These can cause standard library functions, such
                     as printf(), to do unexpected things, particularly
                     with regard to punctuation which can cause data
                     field misallignment based attacks in some situations.
IFS                - Known exploits
LD_LIBRARY_PATH*   - Known exploits (replacing shared libraries with
                     trojan versions, often via Anonymous FTP or similar
                     means), usually fixed for setuid programs
                     in ld.so.   
LOCALDOMAIN,
HOSTALIASES*       - Anything which can be used to spoof DNS is
                     potentially exploitable.  critical programs
                     should use RED_NOALIASES on systems like linux
                     where this variable is implemented, although
                     that may not protect against LOCALDOMAIN.


Many of the above variables can be made more dangerous through their
explicit use in captive login programs, .profile, .login, .bashrc,.cshrc,
etc.

I have not even touched on some others: 
PRINTER
LPDEST
EXINIT
WINDOWID
LESSCHARSET
EDITOR
VISUAL
NLSPATH
MSGVERB
NETPATH
SEV_LEVEL

any environment variables listed in man pages relating to
  - any shell
  - environ(5)
  - ld.so
  - libc
  - any specific setuid program
should be added to the list

bash$ TERM='`/bin/ls >/dev/tty`' csh

[REW: In short, LOTS of environment variables are potentially
expoloitable. Only known "safe" variables should be passed (by
e.g. telnetd, or a setuid-wrapper).  (I never knew about
RESOLV_HOST_CONF before it came up here.) And even "safe" variables
should be paranoidly checked against odd characters etc.]

---------------------------------------------------------------------------
---  Mark Whitis <whitis@dbd.com>     WWW:  http://www.dbd.com/~whitis/ ---
---  428-B Moseley Drive; Charlottesville, VA 22903        804-962-4268 ---
---------------------------------------------------------------------------

home help back first fref pref prev next nref lref last post