Date: Mon, 09 Feb 2015 18:57:36 -0800 From: Rui Paulo <rpaulo@me.com> To: Mateusz Guzik <mjguzik@gmail.com> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Rui Paulo <rpaulo@FreeBSD.org> Subject: Re: svn commit: r278479 - in head: etc sys/kern Message-ID: <EE5E14DC-D44C-495B-BB2B-ADFCC6B07B59@me.com> In-Reply-To: <20150210024317.GA21779@dft-labs.eu> References: <201502092313.t19NDpoS083043@svn.freebsd.org> <20150210024317.GA21779@dft-labs.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 9, 2015, at 18:43, Mateusz Guzik <mjguzik@gmail.com> wrote:
>=20
> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
>> +notify 10 {
>> + match "system" "kernel";
>> + match "subsystem" "signal";
>> + match "type" "coredump";
>> + action "logger $comm $core";
>> +};
>> +
>> */
>>=20
> [..]
>> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) !=3D=
0)
>> + goto out;
>> + snprintf(data, len, "comm=3D%s", fullpath);
>=20
> I cannot test it right now, but it looks like immediate privilege
> escalation.
>=20
> Path is not sanitized in any way and devd passes it to 'sh -c'.
>=20
> So a file named "a.out; /bin/id; meh" or so should result in execution
> of aforementioned /bin/id.
Well, you can't have a file name with "/" but you're right.
> Another note is that currently devctl is record oriented, but this may
> change at some point and free form userspace text could be used to =
forge
> new events.
>=20
> As such is trongly suggest we sanitize this somehow. Maybe a base64 or
> something.
I was trying hard to avoid this issue in unpublished my crash helper, =
but I forgot that devd runs execl("sh -c", ....); :-(
It might just be easier to inspect the path names and allow only =
[a-z][A-Z][0-9] and '/' before sending the devctl message.
--
Rui Paulo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EE5E14DC-D44C-495B-BB2B-ADFCC6B07B59>