I do not have a working example yet but I believe that privileges can
also be escalated with the following method.
The problem is the following command in do_dump_data
echo do_jitconv > $SESSION_DIR/opd_pipe
SESSION_DIR can be controlled by the --session-dir option so a malicious
user could very well replace the fifo $SESSION_DIR/opd_pipe by a
symbolic link.
In theory it becomes possible to create an arbitrary file containing the
text "do_jitconv"
I am not a security expert but I am pretty sure that this is enough to
obtain root privileges for example by creating a custom entry in
/etc/ld.so.conf.d/
Generally speaking, allowing sudoers to change the oprofile session
directory without any controls is probably a very bad idea. The feature
is probably needed to avoid disk quota issues so an etc configuration
file listing all possible session directories could be the solution.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
