|No such thing as a small change|
Two-argument open, and reading already open files.by pjf (Curate)
|on Dec 17, 2006 at 06:55 UTC||Need Help??|
As you point out, if real and effective user ids are different, taint mode is enabled automatically. So even if a script relying upon <> is accidently given the setuid bit, nothing nasty happens. That means the attack is not an attack.
Except that taint doesn't stop you opening a file for reading. So, is there anything that taint considers opening "for reading", and which one would not be able to invoke using the 3-argument open? Well, there is, and it's hardly ever seen:
The special <&=n sequence instructs Perl to duplicate an existing filehandle. What interesting things can setuid programs have open that an attacker may wish to read? How about /etc/passwd after a getpwent() call?
When running as root, the getpw* calls open /etc/shadow to read the password. My box closes the file immediately after, but do you trust every system to do that?
Network sockets, configuration files, or anything else that uses a filehandle is fair game for this attack. A setuid program that has open filehandles to privileged resources runs the very real risk of revealing information it shouldn't if you can get it to use a 2-argument open with user input.
Remember, taint doesn't help you here. We're opening a file for reading. ;)
Perl Training Australia