Date: Thu, 7 Sep 2000 14:39:30 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: "Todd C. Miller" <Todd.Miller@courtesan.com> Cc: Warner Losh <imp@village.org>, "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>, freebsd-security@FreeBSD.org, security-officer@FreeBSD.org, millert@openbsd.org Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.BSF.4.21.0009071433440.16052-100000@freefall.freebsd.org> In-Reply-To: <200009072126.e87LQuE12710@xerxes.courtesan.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Todd C. Miller wrote:
> In message <Pine.BSF.4.21.0009071356030.8316-100000@freefall.freebsd.org>
> so spake Kris Kennaway (kris):
>
> > Again, the problem here is with sudo, not with something that comes in
> > FreeBSD.
>
> How is this a sudo problem? Do you expect sudo to strip away the NLS
> env vars for you? This would not be unprecedented, as sudo already
> strips out LD_* and friends but breaking locales seems a bit dodgy.
>
> As I haven't seen the entire thread I'm clearly missing some info...
Non-setuid applications which use PATH_LOCALE (which isn't restricted by
libc since the application being run isn't setuid) can be pointed to a
user-supplied locale file, which might contain nasty strings like
formatting operators which could exploit a binary which doesnt handle them
properly. The net result is the user who has authority to sudo to a user
and run a non-privileged app can also run other code as that user.
Basically sudo is being used as a "poor man's setuid" which bypasses the
libc checks which would be in place to ignore the env variables if the
binary itself were setuid, so those checks need to be pushed down into
sudo itself.
The second problem is that a non-privileged app which can be told to get
its locale functions from an arbitrary dir (either using PATH_LOCALE, or
using ../../../ constructs in some variable which is used to construct a
path (which should probably be disallowed by libc anyway)) might be able
to read bits of files as the user being sudo'ed to.
Now, I haven't fully explored to what extent this is possible on FreeBSD -
I believe the first one is a problem if sudo is used on third party
applications, but I'm not sure if the second one is, i.e. whether we
disallow use of '/' in the appropriate locale variables.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009071433440.16052-100000>