oss-sec mailing list archives

Re: [Linux] /proc/pid/stat parsing bugs

From: Shawn Webb <shawn.webb () hardenedbsd org>
Date: Thu, 22 Dec 2022 10:04:48 -0500

On Thu, Dec 22, 2022 at 03:44:45PM +0100, Jakub Wilk wrote:

sudo was bitten by this back in the day (CVE-2017-1000367):
https://www.openwall.com/lists/oss-security/2017/05/30/16


I remember performing local privesc's against poorly-written cronjobs
that ran as root and parsed things in procfs. One bug was in a C
application that had a format string bug when parsing data from
procfs data.

Something akin to this (in C-like pseudo code):

```
fp = fopen("/some/logfile/here", "w+");
procfs_fp = fopen("/proc/pid/something")
fprintf(fp, something_read_from_procfs_fp);
```

Name your application "%n" or a shared object "%n" and you'll have a
fun time. (Of course, replace with actual format string exploit).

Process hollowing by abusing /proc/pid/maps and /proc/pid/mem was a
fun tactic back in the early 2000's.

We knew way back then the dangers of VFS-based wizardry. Did we lose
that knowledge somehow?

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

Attachment: signature.asc
Description:

Current thread:

[Linux] /proc/pid/stat parsing bugs Dmitry Vyukov (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Demi Marie Obenour (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Yann Droneaud (Dec 21)
  - Re: [Linux] /proc/pid/stat parsing bugs Dmitry Vyukov (Dec 21)
- Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 21)
  - Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)
- Re: [Linux] /proc/pid/stat parsing bugs Jakub Wilk (Dec 22)
  - Re: [Linux] /proc/pid/stat parsing bugs Shawn Webb (Dec 22)
    - Re: [Linux] /proc/pid/stat parsing bugs Simon McVittie (Dec 23)
    - Re: [Linux] /proc/pid/stat parsing bugs Dominik Czarnota (Dec 25)