Re: Solaris priocntl exploit

From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)
Date: 12/23/02

  • Next message: snsadv@lac.co.jp: "[SNS Advisory No.60 rev.2] Windows XP Disclosure of Registered AP Information" 
    From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
Date: Mon, 23 Dec 2002 11:58:46 +0100 (MET)
To: Jay Beale <jay@bastille-linux.org>

    On Mon, 2 Dec 2002, Jay Beale wrote:

    > This always gets classified as bad input validation. Is the right
    > answer really to check for ../ 's or to canonicalize the filename
    > argument and check ownerships and permissions on the file and parent
    > directories?

    #2 is wrong: even a root-only-writable file under root-only-writable
    directories may be dangerous (e.g. a backup copy of an old and vulnerable
    scheduler module). Moreover, its contents may be under the control of
    other users even if the fs permission do not allow direct access (mail
    queue, logs...--most of them should make it pretty difficult to create
    a valid ELF object (logs) or should not appear on a properly configured
    system (MTA running under root) but...)

    #1 is much better assuming there is nothing but valid scheduler modules
    in /kernel/sched et al (!). Nevertheless, one should always follow "the
    principle of least inclusion" and check against a conservative set of
    valid inputs (e.g. those matching [A-Z0-9_]{1,15}) rather than against a
    set of known invalid or dangerous inputs (e.g. ../).

    --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."

    • Quantcast