[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE Request -- oprofile -- Local privilege escalation via crafted
From: William Cohen <wcohen () redhat ! com>
Date: 2011-04-30 23:56:42
Message-ID: 4DBCA1BA.2060309 () redhat ! com
[Download RAW message or body]
On 04/29/2011 02:16 PM, Jan Lieskovsky wrote:
>
> Hello Josh, Steve, vendors,
>
> It was found that oprofile profiling system did not properly sanitize
> the content of event argument, provided to oprofile profiling control
> utility (opcontrol). If a local unprivileged user was authorized by
> sudoers file to run the opcontrol utility, they could use the flaw
> to escalate their privileges (execute arbitrary code with the privileges
> of the privileged system user, root). Different vulnerability than
> CVE-2006-0576.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=700883
>
> Could you allocate a CVE id for this?
>
> Thank you & Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> P.S.: Oprofile is not encouraged to be run under sudo, but still
> should not allow escalation of privileges.
Hi,
I did a bisection on oprofile git and found the set_event function in opcontrol in:
http://oprofile.git.sourceforge.net/git/gitweb.cgi?p=oprofile/oprofile;a=commit;h=6b60be5e370aa8d58bd4fbbc39abd51c90509a31
The email thread associated with that patch:
http://marc.info/?l=oprofile-list&m=112293360728638&w=2
Appears that the eval is being used to simulate arrays:
http://marc.info/?l=oprofile-list&m=112297339521850&w=2
-Will
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic