Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Two-argument open, and reading already open files.

by pjf (Curate)
on Dec 17, 2006 at 06:55 UTC ( [id://590285]=note: print w/replies, xml ) Need Help??

in reply to Re^5: On being 'critical'
in thread On being 'critical'

As you point out, if real and effective user ids are different, taint mode is enabled automatically. So even if a script relying upon <> is accidently given the setuid bit, nothing nasty happens. That means the attack is not an attack.

Except that taint doesn't stop you opening a file for reading. So, is there anything that taint considers opening "for reading", and which one would not be able to invoke using the 3-argument open? Well, there is, and it's hardly ever seen:

open(FH, '<&=0');

The special <&=n sequence instructs Perl to duplicate an existing filehandle. What interesting things can setuid programs have open that an attacker may wish to read? How about /etc/passwd after a getpwent() call?

perl -T -MFcntl=SEEK_SET -e'getpwent(); open(FH,q{<&=3}) or die $!; se +ek(FH,0,SEEK_SET); print <FH>'

When running as root, the getpw* calls open /etc/shadow to read the password. My box closes the file immediately after, but do you trust every system to do that?

Network sockets, configuration files, or anything else that uses a filehandle is fair game for this attack. A setuid program that has open filehandles to privileged resources runs the very real risk of revealing information it shouldn't if you can get it to use a 2-argument open with user input.

Remember, taint doesn't help you here. We're opening a file for reading. ;)

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://590285]
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (1)
As of 2024-05-23 20:14 GMT
Find Nodes?
    Voting Booth?

    No recent polls found