[Eug-lug] local root exploit via setuid
Jacob Meuser
jakemsr at jakemsr.com
Fri Apr 30 12:10:57 PDT 2004
On Thu, Apr 29, 2004 at 06:06:26PM -0700, Cory Petkovsek wrote:
> On Thu, Apr 29, 2004 at 02:20:31PM -0700, Rob Hudson wrote:
> > How does this work?
>
> Short answer is they utilize a bug, like a buffer overflow in a program
> setuid. The setuid prog, say '/bin/ping' runs as root to access the network
> socket. Let's say ping has an option --BD. When it is fed input from the user
> it does some stuff on it, like prints extra fields.
>
> Perhaps there is a bug in the code that processes the user input to --BD, and
> under the right circumstances, might actually execute that code:
> ping google.com --BD="%Y%D%m-%T\0x33\0x34\0x66\0x88\0x224\0x221"
>
> --BD was only expecting a few date strings, like %Y %D. Since I gave it
> something it didn't expect, it 'exploited' the bug. Perhaps it did so that it
> ran my extra input as an executable. Perhaps my extra input was some code that
> told it to run /bin/bash. That would give me a root shell.
>
> Another method would be to have the input code change my uid to 0. After the
> program finished, I'd be root.
So, why doesn't glibc have strlcat? Oh yeah, all those GNU coders know
how to properly code ... yeah, right.
People used to always ask why I use OpenBSD. Well, OpenBSD goes to
great lengths to have less code using root privileges and to make buffer
exploits much more difficult. Doesn't matter on a single-user desktop?
Well, I'd rather have flaws in a program only affect that program,
not possibly screw with/crash the rest of my system. Besides, the
compiler is pretty good about letting me know that some code has
potential exploits.
http://www.openbsd.org/cgi-bin/man.cgi?query=gcc-local
--
<jakemsr at jakemsr.com>
More information about the EUGLUG
mailing list