bug#24796: Arbitrary code execution via malicious dd input.

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24796: Arbitrary code execution via malicious dd input.

From:	David Buchanan
Subject:	bug#24796: Arbitrary code execution via malicious dd input.
Date:	Tue, 25 Oct 2016 19:47:25 +0100
User-agent:	Roundcube Webmail/1.1.0

I originally submitted this to the kernel security team, and was told itwas intentional behaviour:

/proc/self/mem can be used to write to read-only segments (note: this isnothing to do with "dirycow").

As a proof of concept, I show that malicious input to the "dd" programcan cause arbitrary code execution by overwriting the text segment:


dd if=pwn of=/⁠proc/⁠self/⁠mem bs=4194304 seek=1

"pwn" is attatched. It consists of a nop sled, and then x64 TCPshellcode (port 1337,http://shell-storm.org/shellcode/files/shellcode-858.php).On both Debian 8 and Arch linux (x86_64), dd has PIE disabled, and4194304 is the start address of the text segment.

I believe this affects all versions of dd.

This PoC could potentially be use to escape sandboxes on any systemwhere "dd" is allowed to be used.


I assume the best way to fix this would be to disallow /proc/self/mem as

pwn
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

bug#24796: Arbitrary code execution via malicious dd input., David Buchanan <=
- bug#24796: Arbitrary code execution via malicious dd input., David Buchanan, 2016/10/25
- bug#24796: Arbitrary code execution via malicious dd input., Paul Eggert, 2016/10/25

Prev by Date: bug#24794: broken tags in coreutils.git
Next by Date: bug#24795: sha1sum cannot find file to check
Previous by thread: bug#24795: sha1sum cannot find file to check
Next by thread: bug#24796: Arbitrary code execution via malicious dd input.
Index(es):
- Date
- Thread