* util-linux mount/unmount ASLR bypass via environment variable
@ 2018-01-11 18:51 halfdog
2018-01-12 10:15 ` Karel Zak
0 siblings, 1 reply; 4+ messages in thread
From: halfdog @ 2018-01-11 18:51 UTC (permalink / raw)
To: util-linux
Hello list,
Cleaning up another issue, I noticed that I haven't reported this
one yet. Debugging of libmount can be activated, also in SUID
binaries, thus spilling out the heap addresses. Note that "CXT"
structure contains function pointers to overwrite.
Test:
LIBMOUNT_DEBUG=all /bin/umount /
Output:
2401: libmount: CXT: [0x562d3abb0760]: ----> allocate [RESTRICTED]
2401: libmount: CXT: [0x562d3abb0760]: umount: /
2401: libmount: CXT: [0x562d3abb0760]: umount: lookup FS for '/'
2401: libmount: CXT: [0x562d3abb0760]: checking for writable tab files
2401: libmount: UTILS: utab: /run/mount/utab
2401: libmount: CACHE: [0x562d3abb1950]: alloc
2401: libmount: CACHE: [0x562d3abb1950]: canonicalize path /
2401: libmount: CACHE: [0x562d3abb1950]: add entry [ 1] (path): /: /
2401: libmount: CXT: [0x562d3abb0760]: tabfilter ENABLED!
2401: libmount: TAB: [0x562d3abb35b0]: alloc
...
The output can easily be used by creating a local domain socket
with only 4k buffer size, filling it up until writes are blocking
and then start umount with that socket as stdout. This allows
race-free reading of the address output before umount accesses
other user-controlled resource. Thus any error during the downstream
procedure creating some kind of write-where vulnerability will
always find the correct target.
hd
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: util-linux mount/unmount ASLR bypass via environment variable
2018-01-11 18:51 util-linux mount/unmount ASLR bypass via environment variable halfdog
@ 2018-01-12 10:15 ` Karel Zak
2018-01-12 11:50 ` Peter Cordes
0 siblings, 1 reply; 4+ messages in thread
From: Karel Zak @ 2018-01-12 10:15 UTC (permalink / raw)
To: halfdog; +Cc: util-linux
On Thu, Jan 11, 2018 at 06:51:59PM +0000, halfdog wrote:
> Cleaning up another issue, I noticed that I haven't reported this
> one yet. Debugging of libmount can be activated, also in SUID binaries,
This is expected and wanted ;-)
> thus spilling out the heap addresses.
Good point. Fixed, now for SUIDs it's without the addresses:
$ LIBMOUNT_DEBUG=all mount
18622: libmount: CXT: ----> allocate [RESTRICTED]
18622: libmount: TAB: alloc
18622: libmount: CACHE: alloc
18622: libmount: TAB: mtab parse: #1 read mountinfo
18622: libmount: TAB: /proc/self/mountinfo: start parsing [entries=0, filter=not]
18622: libmount: TAB: add entry: sysfs /sys
18622: libmount: CACHE: canonicalize path /proc/self/mountinfo
...
Thanks!
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: util-linux mount/unmount ASLR bypass via environment variable
2018-01-12 10:15 ` Karel Zak
@ 2018-01-12 11:50 ` Peter Cordes
2018-01-12 12:47 ` Karel Zak
0 siblings, 1 reply; 4+ messages in thread
From: Peter Cordes @ 2018-01-12 11:50 UTC (permalink / raw)
To: Karel Zak; +Cc: halfdog, util-linux
On Fri, Jan 12, 2018 at 11:15:59AM +0100, Karel Zak wrote:
> Good point. Fixed, now for SUIDs it's without the addresses:
>
> $ LIBMOUNT_DEBUG=all mount
> 18622: libmount: CXT: ----> allocate [RESTRICTED]
> 18622: libmount: TAB: alloc
> ...
Would it be useful to warn that addresses are being hidden? People
might not realize they're missing out on that when debugging.
Especially relevant if the addresses are useful for bug reports,
rather than just for use with a local debugger or something.
(In that case people probably run sudo gdb mount rather than attaching
to a running SUID mount process.)
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cor , des.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: util-linux mount/unmount ASLR bypass via environment variable
2018-01-12 11:50 ` Peter Cordes
@ 2018-01-12 12:47 ` Karel Zak
0 siblings, 0 replies; 4+ messages in thread
From: Karel Zak @ 2018-01-12 12:47 UTC (permalink / raw)
To: Peter Cordes; +Cc: halfdog, util-linux
On Fri, Jan 12, 2018 at 07:50:00AM -0400, Peter Cordes wrote:
> On Fri, Jan 12, 2018 at 11:15:59AM +0100, Karel Zak wrote:
> > Good point. Fixed, now for SUIDs it's without the addresses:
> >
> > $ LIBMOUNT_DEBUG=all mount
> > 18622: libmount: CXT: ----> allocate [RESTRICTED]
> > 18622: libmount: TAB: alloc
> > ...
>
> Would it be useful to warn that addresses are being hidden? People
> might not realize they're missing out on that when debugging.
OK.
# LIBMOUNT_DEBUG=all ./mount.static
14676: libmount: don't print memory addresses (SUID executable).
14676: libmount: INIT: library debug mask: 0x100ffff
14676: libmount: INIT: library version: 2.31.188
14676: libmount: INIT: feature: btrfs
14676: libmount: INIT: feature: assert
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-01-12 12:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-11 18:51 util-linux mount/unmount ASLR bypass via environment variable halfdog
2018-01-12 10:15 ` Karel Zak
2018-01-12 11:50 ` Peter Cordes
2018-01-12 12:47 ` Karel Zak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).