Keep It Simple, Stupid | |
PerlMonks |
Two-argument open, and reading already open files.by pjf (Curate) |
on Dec 17, 2006 at 06:55 UTC ( [id://590285]=note: print w/replies, xml ) | Need Help?? |
As you point out, if real and effective user ids are different, taint mode is enabled automatically. So even if a script relying upon <> is accidently given the setuid bit, nothing nasty happens. That means the attack is not an attack. Except that taint doesn't stop you opening a file for reading. So, is there anything that taint considers opening "for reading", and which one would not be able to invoke using the 3-argument open? Well, there is, and it's hardly ever seen:
The special <&=n sequence instructs Perl to duplicate an existing filehandle. What interesting things can setuid programs have open that an attacker may wish to read? How about /etc/passwd after a getpwent() call?
When running as root, the getpw* calls open /etc/shadow to read the password. My box closes the file immediately after, but do you trust every system to do that? Network sockets, configuration files, or anything else that uses a filehandle is fair game for this attack. A setuid program that has open filehandles to privileged resources runs the very real risk of revealing information it shouldn't if you can get it to use a 2-argument open with user input. Remember, taint doesn't help you here. We're opening a file for reading. ;)
Paul Fenwick Perl Training Australia
In Section
Seekers of Perl Wisdom
|
|