[Eug-lug] local root exploit via setuid
Cory Petkovsek
cory at adaptableit.com
Thu Apr 29 19:06:26 PDT 2004
On Thu, Apr 29, 2004 at 02:20:31PM -0700, Rob Hudson wrote:
> How does this work?
Short answer is they utilize a bug, like a buffer overflow in a program
setuid. The setuid prog, say '/bin/ping' runs as root to access the network
socket. Let's say ping has an option --BD. When it is fed input from the user
it does some stuff on it, like prints extra fields.
Perhaps there is a bug in the code that processes the user input to --BD, and
under the right circumstances, might actually execute that code:
ping google.com --BD="%Y%D%m-%T\0x33\0x34\0x66\0x88\0x224\0x221"
--BD was only expecting a few date strings, like %Y %D. Since I gave it
something it didn't expect, it 'exploited' the bug. Perhaps it did so that it
ran my extra input as an executable. Perhaps my extra input was some code that
told it to run /bin/bash. That would give me a root shell.
Another method would be to have the input code change my uid to 0. After the
program finished, I'd be root.
Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to Your
(858) 705-1655 Business
cory at AdaptableIT.com www.AdaptableIT.com
More information about the EUGLUG
mailing list