[1762] in linux-security and linux-alert archive
[linux-security] Beware of dangerous enviroment (Re: Overflows in minicom)
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Wed May 20 11:17:39 1998
Date: Tue, 19 May 1998 16:26:50 +0200 (MET DST)
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
In-reply-to: <k2vhrcywnv.fsf@zero.aec.at>
To: drepper@gnu.org, bug-glibc@gnu.org, hjl@gnu.org, linux-security@redhat.com
Reply-to: peak@kerberos.troja.mff.cuni.cz
Resent-From: linux-security@redhat.com
On Tue, 12 May 1998, Andi Kleen wrote on BUGTRAQ:
> I assumed the libc would ignore NLSPATH when the app runs suid (similar
> like it does with LD_LIBRARY_PATH etc.). If it doesn't that is a bad bug.
>
> [... clickety click ... ]
>
> At least glibc 2.1 uses __secure_getenv() for NLSPATH. Don't know about 2.0,
> separate GNU gettext, or libc5.
I have browsed various versions of libc and found a handful of weak points
where the value of an enviroment variable is trusted more than necessary.
Variable Impact
NLSPATH can read arbitrary file
LANGUAGE, LANG, LC_* dtto (if the value starts with a sufficient
number of "../")
TZ dtto (../)
LD_PROFILE_OUTPUT can overwrite arbitrary file (not verified)
Quite a lot of harm can be caused even with read-only access.
Think of getting read access to /dev/*, esp. /dev/mem and /dev/port
(welcome to the world of PC hardware <g>), /proc/kmsg or /proc/*/fd/*.
Affected versions chart
Ver./Var. NLSPATH LANGUAGE, LANG, LC_* TZ LD_PROFILE_OUTPUT
libc 5.4.44 yes yes(0) yes no
glibc 2.0.7 no(1) yes no(2) no
glibc pre2.1 no(1) yes no(2) yes(3)
(snapshot 980301)
Solaris 2.5(4) yes no yes maybe
(with 103187-35)
(0) not LANGUAGE because libc5 has not gettext built in
(1) __secure_getenv()
(2) supressed in __tzfile_read() when __libc_secure_enable is on
(3) not verified
(4) just curious (private Q: does anyone know how one should report
such problems to Sun?)
Example of "exploitation"
$ mkfifo /tmp/LC_MESSAGES
$ LANG=../../../../tmp xterm &
$ ps l
FLAGS UID PID PPID PRI NI SIZE RSS WCHAN STA TTY TIME
COMMAND
100 555 17293 17291 14 0 1200 804 wait4 S p2 0:00 -bash
100000 555 17347 17293 10 0 2384 1208 fifo_open S p2 0:00 xterm
100000 555 17348 17293 17 0 920 500 R p2 0:00 ps l
Apparently, xterm attempted to open /tmp/LC_MESSAGES.
(Oh yes, xterm is setuid and owned by root.)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null