[systemd-bugs] [Bug 87354] systemd-coredump can run elfutils as root

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Dec 19 11:49:24 PST 2014


https://bugs.freedesktop.org/show_bug.cgi?id=87354

--- Comment #3 from Lennart Poettering <lennart at poettering.net> ---
(In reply to Bastien Nocera from comment #0)
> If a process running as root crashed, systemd-coredump would change the
> effective uid/gid to that of the crashing program.
> 
> So a carefully crafted coredump could hit elfutils parsing bugs to run
> arbitrary programs as the same user that crashed.
> 
> The solution would be to avoid running elfutils code as any privileged user.

Hmm?

We generate the stack trace after dropping uid/gid to the same as the process
that crashed.

If you managed to carefully craft a coredump under some uid/gid, then you are
so powerful, why would you then still need to trigger a bug in elfutils?

If you make apache crash inserting enough data into apache to craft the
coredump the way you want, and then acquire access to the apache user that way,
what have you gained? I mean, you could just as well run your code as apache
user right away, no need to go via the coredump stuff...

Not following here, why there would be any new threat by the coredump logic?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20141219/23d53d42/attachment.html>


More information about the systemd-bugs mailing list