[28077] in bugtraq
Re: Solaris priocntl exploit
daemon@ATHENA.MIT.EDU (Jay Beale)
Mon Dec 2 16:24:25 2002
Date: Mon, 2 Dec 2002 08:45:38 -0800
From: Jay Beale <jay@bastille-linux.org>
To: "bugtraq @ securityfocus. com" <bugtraq@securityfocus.com>
Message-ID: <20021202164538.GB12185@zork.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021127024912.78C4A2F813@smtp.x263.net>
> but unfortunately, priocntl() never check '../' in pc_clname arg
> we can use '../../../tmp/module' to make priocntl() load a module from anywhere
You've got to love when this kind of classic mistake happens in a system call!
I latched onto this one simply because it's the same poor input
validation/permissions check that happens in my favorite old privilege escalator,
userhelper. ( http://online.securityfocus.com/bid/913 )
This always gets classified as bad input validation. Is the right answer really
to check for ../ 's or to canonicalize the filename argument and check ownerships
and permissions on the file and parent directories?
- Jay
