Date: Tue, 10 Feb 2015 03:43:18 +0100 From: Mateusz Guzik <mjguzik@gmail.com> To: Rui Paulo <rpaulo@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r278479 - in head: etc sys/kern Message-ID: <20150210024317.GA21779@dft-labs.eu> In-Reply-To: <201502092313.t19NDpoS083043@svn.freebsd.org> References: <201502092313.t19NDpoS083043@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
> +notify 10 {
> + match "system" "kernel";
> + match "subsystem" "signal";
> + match "type" "coredump";
> + action "logger $comm $core";
> +};
> +
> */
>
[..]
> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0)
> + goto out;
> + snprintf(data, len, "comm=%s", fullpath);
I cannot test it right now, but it looks like immediate privilege
escalation.
Path is not sanitized in any way and devd passes it to 'sh -c'.
So a file named "a.out; /bin/id; meh" or so should result in execution
of aforementioned /bin/id.
Another note is that currently devctl is record oriented, but this may
change at some point and free form userspace text could be used to forge
new events.
As such is trongly suggest we sanitize this somehow. Maybe a base64 or
something.
--
Mateusz Guzik <mjguzik gmail.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150210024317.GA21779>