in include

#include & lt; / etc / shadow & gt ;, Hacker News

1.6k Views


                Recently I saw atweet where someone mentionedthat you can include

/ dev / stdin

in C code compiled with gcc. This is, to say the very least, surprising.

When you see something like this with an IT security background you start to wonder if this can be abused for an attack. While I couldn’t come up with anything, I started to wonder what else you could include. As you can basically include arbitrary paths on a system this may be used to exfiltrate data – if you can convince someone else to compile your code.

There are plenty of webpages that offer online services where you can type in C code and run it. It is obvious that such systems are insecure if the code running is not sandboxed in some way. But is it equally obvious that the compiler also needs to be sandboxed?

How would you attack something like this? Exfiltrating data directly through the code is relatively difficult, because you need to include data that ends up being valid C code. Maybe there’s a trick to make something like

/ etc / shadow

valid C code (you can put code before and after the include), but I haven’t found it. But it’s not needed either: The error messages you get from the compiler are all you need. All online tools I tested will show you the errors if your code does not compile.

I even found one service that allowed me to add

# include/shadow>

and showed me the hash of the root password. This effectively means this service is running compile tasks as root.

Including various files in

/ etc

allows to learn something about the system. For example

/ etc / lsb-release

often gives information about the distribution in use. Interestingly, including pseudo-files from

/ proc

does not work. It seems gcc treats them like empty files. This limits possibilities to learn about the system.

/ sys

and

/ dev

work, but they contain less human readable information.

In summary I think services letting other people compile code should consider sandboxing the compile process and thus make sure no interesting information can be exfiltrated with these attack vectors.             

**************
Read More
Brave Browser

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Open source silicon root of trust (RoT) | OpenTitan, Hacker News

Open source silicon root of trust (RoT) | OpenTitan, Hacker News

Market Analysis Report (17 Dec 2019)