[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request -- oprofile -- Local privilege escalation via crafted
From:       William Cohen <wcohen () redhat ! com>
Date:       2011-04-30 23:56:42
Message-ID: 4DBCA1BA.2060309 () redhat ! com
[Download RAW message or body]

On 04/29/2011 02:16 PM, Jan Lieskovsky wrote:
> 
> Hello Josh, Steve, vendors,
> 
> It was found that oprofile profiling system did not properly sanitize
> the content of event argument, provided to oprofile profiling control
> utility (opcontrol). If a local unprivileged user was authorized by
> sudoers file to run the opcontrol utility, they could use the flaw
> to escalate their privileges (execute arbitrary code with the privileges
> of the privileged system user, root). Different vulnerability than
> CVE-2006-0576.
> 
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=700883
> 
> Could you allocate a CVE id for this?
> 
> Thank you & Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
> P.S.: Oprofile is not encouraged to be run under sudo, but still
> should not allow escalation of privileges.


Hi,

I did a bisection on oprofile git and found the set_event function in opcontrol in:

http://oprofile.git.sourceforge.net/git/gitweb.cgi?p=oprofile/oprofile;a=commit;h=6b60be5e370aa8d58bd4fbbc39abd51c90509a31


The email thread associated with that patch:

http://marc.info/?l=oprofile-list&m=112293360728638&w=2

Appears that the eval is being used to simulate arrays:

http://marc.info/?l=oprofile-list&m=112297339521850&w=2

-Will


[prev in list] [next in list] [prev in thread] [next in thread]