emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#24796: closed (Arbitrary code execution via malici

From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#24796: closed (Arbitrary code execution via malicious dd input.)
Date: Tue, 25 Oct 2016 18:59:01 +0000 
Your message dated Tue, 25 Oct 2016 11:58:26 -0700
with message-id <address@hidden>
and subject line Re: bug#24796: Arbitrary code execution via malicious dd input.
has caused the debbugs.gnu.org bug report #24796,
regarding Arbitrary code execution via malicious dd input.
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
24796: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24796
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: Arbitrary code execution via malicious dd input. Date: Tue, 25 Oct 2016 19:47:25 +0100 User-agent: Roundcube Webmail/1.1.0 I originally submitted this to the kernel security team, and was told it was intentional behaviour:
/proc/self/mem can be used to write to read-only segments (note: this is nothing to do with "dirycow").
As a proof of concept, I show that malicious input to the "dd" program can cause arbitrary code execution by overwriting the text segment: 

dd if=pwn of=/⁠proc/⁠self/⁠mem bs=4194304 seek=1
"pwn" is attatched. It consists of a nop sled, and then x64 TCP shellcode (port 1337, http://shell-storm.org/shellcode/files/shellcode-858.php). On both Debian 8 and Arch linux (x86_64), dd has PIE disabled, and 4194304 is the start address of the text segment. 
I believe this affects all versions of dd.
This PoC could potentially be use to escape sandboxes on any system where "dd" is allowed to be used. 

I assume the best way to fix this would be to disallow /proc/self/mem as

Attachment: pwn
Description: Binary data


--- End Message ---
--- Begin Message --- Subject: Re: bug#24796: Arbitrary code execution via malicious dd input. Date: Tue, 25 Oct 2016 11:58:26 -0700 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 It's not reasonable to change every program that could possibly write to /proc/self/mem, so I'm going to close the coreutils bug. Instead, any fix needs to be done at the system level, outside the scope of coreutils per se.

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]