oss-sec mailing list archives
Re: [Linux] /proc/pid/stat parsing bugs
From: Shawn Webb <shawn.webb () hardenedbsd org>
Date: Thu, 22 Dec 2022 10:04:48 -0500
On Thu, Dec 22, 2022 at 03:44:45PM +0100, Jakub Wilk wrote:
sudo was bitten by this back in the day (CVE-2017-1000367): https://www.openwall.com/lists/oss-security/2017/05/30/16
I remember performing local privesc's against poorly-written cronjobs that ran as root and parsed things in procfs. One bug was in a C application that had a format string bug when parsing data from procfs data. Something akin to this (in C-like pseudo code): ``` fp = fopen("/some/logfile/here", "w+"); procfs_fp = fopen("/proc/pid/something") fprintf(fp, something_read_from_procfs_fp); ``` Name your application "%n" or a shared object "%n" and you'll have a fun time. (Of course, replace with actual format string exploit). Process hollowing by abusing /proc/pid/maps and /proc/pid/mem was a fun tactic back in the early 2000's. We knew way back then the dangers of VFS-based wizardry. Did we lose that knowledge somehow? -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Attachment:
signature.asc
Description:
Current thread:
- [Linux] /proc/pid/stat parsing bugs Dmitry Vyukov (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Demi Marie Obenour (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Yann Droneaud (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Dmitry Vyukov (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)
- Re: [Linux] /proc/pid/stat parsing bugs Jakub Wilk (Dec 22)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)
- Re: [Linux] /proc/pid/stat parsing bugs Simon McVittie (Dec 23)
- Re: [Linux] /proc/pid/stat parsing bugs Dominik Czarnota (Dec 25)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)