oss-sec mailing list archives
util-linux mount/unmount ASLR bypass via environment variable
From: halfdog <me () halfdog net>
Date: Thu, 11 Jan 2018 21:33:02 +0000
Hello list, Just FYI. The issue was not rated important, hence reported in public mailing list, see [0]. Copy of message: Cleaning up another issue, I noticed that I haven't reported this one yet. Debugging of libmount can be activated, also in SUID binaries, thus spilling out the heap addresses. Note that "CXT" structure contains function pointers to overwrite. Test: LIBMOUNT_DEBUG=all /bin/umount / Output: 2401: libmount: CXT: [0x562d3abb0760]: ----> allocate [RESTRICTED] 2401: libmount: CXT: [0x562d3abb0760]: umount: / 2401: libmount: CXT: [0x562d3abb0760]: umount: lookup FS for '/' 2401: libmount: CXT: [0x562d3abb0760]: checking for writable tab files 2401: libmount: UTILS: utab: /run/mount/utab 2401: libmount: CACHE: [0x562d3abb1950]: alloc 2401: libmount: CACHE: [0x562d3abb1950]: canonicalize path / 2401: libmount: CACHE: [0x562d3abb1950]: add entry [ 1] (path): /: / 2401: libmount: CXT: [0x562d3abb0760]: tabfilter ENABLED! 2401: libmount: TAB: [0x562d3abb35b0]: alloc ... The output can easily be used by creating a local domain socket with only 4k buffer size, filling it up until writes are blocking and then start umount with that socket as stdout. This allows race-free reading of the address output before umount accesses other user-controlled resource. Thus any error during the downstream procedure creating some kind of write-where vulnerability will always find the correct target. hd [0] https://www.spinics.net/lists/util-linux-ng/msg14978.html
Current thread:
- util-linux mount/unmount ASLR bypass via environment variable halfdog (Jan 11)