About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Readline crime: exploiting a SUID logic bug- 1107

Rory M - Trail of BitsPosted 3 Years Ago
  • After Qualys posted a sudo vulnerability that shook the world a while ago, the author of the post was wondering what other setuid binaries installed have vulnerabilities. They specifically decided to look into how environmental variables for programs were being used. They tried this ENV being set with all of the setuid binaries on their system.
  • To test for environment variables, they added preloaded a library that simply logged all requests to getenv(). After going through a bunch of dead ends, the variable INPUTRC appeared. This is used for a configuration file.
  • They set the environment variable to /etc/shadow, hoping that something interesting could be leaked. While running chfn, the output of the program indicated that it was read! However, nothing useful was outputted.
  • The author decided to search through the source code to finding something interesting. Within the readline library was where this environment variable was doing its damage. While parsing through the configuration file, it will output the errors and badly parsed data. So, what gets outputted in the errors? Can we trick it to output something useful?
  • A line that begins with a quotation mark without a closing mark will get outputted. Additionally, a line that starts with a colon with no whitespace. Finally, and the most useful, a line without a space, tab or colon will output the entire line! SSH keys match this pattern, since its base64 encoded data.
  • What's the punch line? Don't use readline in setuid binaries. The binary could simply just clear this ENV variable as well. To me, the blame on the bug is hard to put. Is it reasonable for the maintainers of chfn to know this quirk? Additionally, is it reasonable for readline to output this errors? To me, the blame isn't on any of these devs.
  • Overall, great article that is concise, well-written and has many good jokes. setuid bugs aren't dead!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed