linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "David R. Piegdon" <fleshyCPU@gmx.net>
To: linux-kernel@vger.kernel.org
Subject: Re: Linux v2.6.0-test1  [[Fwd: [Full-Disclosure] Linux 2.4.x execve() file read race vulnerability]]
Date: Mon, 14 Jul 2003 15:48:44 +0200	[thread overview]
Message-ID: <200307141548.44359.fleshyCPU@gmx.net> (raw)
In-Reply-To: <20030714124721.GI15452@holomorphy.com>


this one was posted on full-disclosure a while ago
i think this is what alan cox means with
 fs/exec stuff
:)


----------  Forwarded Message  ----------
From: Paul Starzetz <paul@starzetz.de>
To: bugtraq@securityfocus.com,
 vendor-sec <vendor-sec@lst.de>,
 full-disclosure@lists.netsys.com
Date: Thu, 26 Jun 2003 19:24:23 +0200

Hi people,

again it is time to discover a funny bug inside the Linux execve()
system call.


Details:
- ---------

While looking at the execve() code I've found the following piece of
code (from fs/binfmt_elf.c):

static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs *
regs)
{
    struct file *interpreter = NULL; /* to shut gcc up */

[...]

    retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *)
elf_phdata, size);
    if (retval < 0)
        goto out_free_ph;

    retval = get_unused_fd();
    if (retval < 0)
        goto out_free_ph;
    get_file(bprm->file);
    fd_install(elf_exec_fileno = retval, bprm->file);


So, during the execution of new binary, the opened file descriptor to
the executable is put into the file table of the current (the caller of
execve()) process. This can be exploited creating a file sharing
parent/child pair by means of the clone() syscall and reading the file
descriptor from one of them.

Further, the check for shared files structure (in compute_creds() from
exec.c) is made to late, so even the parent can successfully exit after
playing games on that file descriptor and the child (if setuid) is
executed under full privileges. I wrote a simple setuid binary dump
utility so far, but further implications (due to the complexity of the
execve() syscall) may be possible...


Lets illustrate the vulnerability:

paul@buggy:~> ls -l /bin/ping
- -rws--x--x    1 root     root        29680 Oct 25  2001 /bin/ping

so the setuid ping binary can be only executed by anyone, but not read.

Now we start the suid dumper (while playing with the disk on another
console like cat /usr/bin/* >/dev/null) :

paul@buggy:~> while true ; do ./suiddmp /bin/ping -c 1 127.0.0.1 ; if
test $? -eq 1 ; then exit 1 ; fi; done 2>/dev/null | grep -A5 suc

and after few seconds:

Parent success stating:
uid 0 gid 0 mode 104711 inode 9788 size 29680
PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=94 usec

- --- 127.0.0.1 ping statistics ---

paul@buggy:~> ls -l
total 7132
- -rwxr-xr-x    1 paul     users       29680 Jun 26 19:17 suid.dump
[...]

paul@buggy:~> ./suid.dump
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination


Obviously the setuid binary has been duplicated :-) (but with no setuid
flag of course).


Source also available at:

http://www.starzetz.com/paul/suiddmp.c

/ih

-------------------------------------------------------


  parent reply	other threads:[~2003-07-14 13:37 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-07-14 11:50 Linux v2.6.0-test1 John Bradford
2003-07-14 11:53 ` Dave Jones
2003-07-14 12:00   ` William Lee Irwin III
2003-07-14 12:39     ` Alan Cox
2003-07-14 12:47       ` William Lee Irwin III
2003-07-14 12:47         ` Alan Cox
2003-07-14 13:48         ` David R. Piegdon [this message]
2003-07-14 12:40 ` Alan Cox
2003-07-14 16:55 ` Kurt Wall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200307141548.44359.fleshyCPU@gmx.net \
    --to=fleshycpu@gmx.net \
    --cc=linux-kernel@vger.kernel.org \
    --subject='Re: Linux v2.6.0-test1  [[Fwd: [Full-Disclosure] Linux 2.4.x execve() file read race vulnerability]]' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).