[Eug-lug] local root exploit via setuid

[Ben Barrett]

Check these out, and see if you are left with any more-specific questions:

http://www.securityfocus.com/advisories/6599

http://www.securityfocus.com/advisories/6584

http://www.securityfocus.com/advisories/6513

http://www.securityfocus.com/advisories/6450

This older vuln-dev message pertains also.  The author, Cripin Cowan, works up near
Portland and is part of the C.R.I.M.E. group up there:

http://www.securityfocus.com/archive/82/163951

The gist of it is that many programs must have some amount of root-level
capabilities to function properly, which can allow for an exploit involving said
program to allow the user to become root, by the same means that the program takes
root privileges... shouldn't happen, but it can.

This is only a real problem on a shared-but-inaccessible system.  If you are the
only user, or if every user has physical access to the machine, then it is sort of
a moot point, since it is trivial to boot knoppix or similar and reset the root
password, or do anything on that system (as root or otherwise).

It matters most for things like a simple pop-mail server.  All too many are setup
so that pop users can actually login, which is usually not desirable for exactly
these reasons -- *and* especially a concern in that situation, since pop passwords
are usually flying around the 'net in plaintext, where they can be grabbed and
tested for shell login on the host... if someone bad found that, then you'd have an
intruder looking for their setuid exploit, to root the mailserver.  (as an example)

Hope this helps,

    Ben




On Thu, 29 Apr 2004 14:20:31 -0700
Rob Hudson <rob at euglug.net> wrote:

| I see some security warnings about local users can gain root via a
| setuid exploit...
| 
|     There is a bug in [package] which may allow local users to gain root
|     via a setuid file...
| 
| How does this work?