|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jay Beale (jay_at_bastille-linux.org)
Date: Mon Dec 02 2002 - 10:45:38 CST
> but unfortunately, priocntl() never check '../' in pc_clname arg
> we can use '../../../tmp/module' to make priocntl() load a module from anywhere
You've got to love when this kind of classic mistake happens in a system call!
I latched onto this one simply because it's the same poor input
validation/permissions check that happens in my favorite old privilege escalator,
userhelper. ( http://online.securityfocus.com/bid/913 )
This always gets classified as bad input validation. Is the right answer really
to check for ../ 's or to canonicalize the filename argument and check ownerships
and permissions on the file and parent directories?
- Jay
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]