Date: Thu, 07 Sep 2000 10:18:24 -0600 From: Warner Losh <imp@village.org> To: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <200009071618.e87GIOG16223@billy-club.village.org> In-Reply-To: Your message of "Thu, 07 Sep 2000 13:00:10 %2B0200." <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> References: <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes: : I allowed a user to run '/bin/ls -l /' as root - a simple test. : : /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a : localized date/time formatting) even when invoked via : sudo. That would be sufficient to use the vulnerability, I suppose. Did it allow you to read a file in PATH_LOCALE that otherwise it wouldn't have? Are there buffer overflows that this could exploit? Are there infomation leaks that you could force with this? What, specifically, is the problem here? : In my opinion, the cause of the vulnerability is in the conjunction of : two conditions - : : 1. the "general misconception of locales", allowing user to tweak the : behavior of programs via locales, which has been solved in FreeBSD, and : 2. sudo not taking into account the fact, that FreeBSD has decided to : propagate custom locales to programs running with upgraded privileges. sudo was designed to be fairly permissive in many ways. The authors of sudo explicitly realized that there maybe loopholes in the command set that you give users and that you must trust honest users to stay honest with it. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009071618.e87GIOG16223>