[1762] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Beware of dangerous enviroment (Re: Overflows in minicom)

daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Wed May 20 11:17:39 1998

Date: Tue, 19 May 1998 16:26:50 +0200 (MET DST)
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
In-reply-to: <k2vhrcywnv.fsf@zero.aec.at>
To: drepper@gnu.org, bug-glibc@gnu.org, hjl@gnu.org, linux-security@redhat.com
Reply-to: peak@kerberos.troja.mff.cuni.cz
Resent-From: linux-security@redhat.com

On Tue, 12 May 1998, Andi Kleen wrote on BUGTRAQ:

> I assumed the libc would ignore NLSPATH when the app runs suid (similar
> like it does with LD_LIBRARY_PATH etc.). If it doesn't that is a bad bug.
> 
> [... clickety click ... ]
> 
> At least glibc 2.1 uses __secure_getenv() for NLSPATH. Don't know about 2.0,
> separate GNU gettext, or libc5.


I have browsed various versions of libc and found a handful of weak points
where the value of an enviroment variable is trusted more than necessary.

Variable		Impact

NLSPATH			can read arbitrary file
LANGUAGE, LANG, LC_*	dtto (if the value starts with a sufficient
			number of "../")
TZ			dtto (../)
LD_PROFILE_OUTPUT	can overwrite arbitrary file (not verified)


Quite a lot of harm can be caused even with read-only access.
Think of getting read access to /dev/*, esp. /dev/mem and /dev/port 
(welcome to the world of PC hardware <g>), /proc/kmsg or /proc/*/fd/*.


Affected versions chart

Ver./Var.     NLSPATH   LANGUAGE, LANG, LC_*    TZ    LD_PROFILE_OUTPUT

libc 5.4.44	yes		yes(0)		yes		no
glibc 2.0.7	no(1)		yes		no(2)		no
glibc pre2.1	no(1)		yes		no(2)		yes(3)
(snapshot 980301)
Solaris 2.5(4)	yes		no		yes		maybe
(with 103187-35)

(0) not LANGUAGE because libc5 has not gettext built in
(1) __secure_getenv()
(2) supressed in __tzfile_read() when __libc_secure_enable is on
(3) not verified
(4) just curious (private Q: does anyone know how one should report
    such problems to Sun?)


Example of "exploitation"

$ mkfifo /tmp/LC_MESSAGES
$ LANG=../../../../tmp xterm &
$ ps l
 FLAGS   UID   PID  PPID PRI  NI   SIZE   RSS WCHAN       STA TTY TIME
COMMAND
   100   555 17293 17291  14   0   1200   804 wait4       S   p2  0:00 -bash 
100000   555 17347 17293  10   0   2384  1208 fifo_open   S   p2  0:00 xterm
100000   555 17348 17293  17   0    920   500             R   p2  0:00 ps l

Apparently, xterm attempted to open /tmp/LC_MESSAGES.
(Oh yes, xterm is setuid and owned by root.)


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post