Bugtraq mailing list archives

Does the shared lib bug work on any suid program ?

From: Bernd.Lehle () RUS Uni-Stuttgart DE (Bernd Lehle)
Date: Fri, 3 Nov 1995 14:07:56 +0100


Hi there,

after all the fuzz about the telnet/shared lib stuff somebody here came up
with something that might be even more interesting:

What woul hapen in the following case:

- Choose any suid program, that uses a library call, You know the name
- example: su calls crypt(3)
- take the library that contains crypt and delete crypt from it
- add a crypt function that does exec(sh)
- rebuild the shared library with the new cypt
- set the shared library path to Your home
- su

Right after the Password was typed in, You should have a root shell...

This game could be played with any suid program, where You know what routines
it calls.

Or am I missing something ?

I did not try this yet, because I don't know (yet) how to build shared
libraries ...

--

Bernd Lehle - Stuttgart University Computer Center * A supercomputer <
      Visualization / SFB 382 / Astrophysics       *  is a machine   <
lehle () rus uni-stuttgart de   Tel:+49-711-685-2047  *  that runs an   <
  http://www.tat.physik.uni-tuebingen.de/~lehle    *  endless loop   <
 pgp? -> finger bernd () visbl rus uni-stuttgart de   *  in 2 seconds   <

Current thread:

Re: SunOS syslog() fix, finally..., (continued)
- - - Re: SunOS syslog() fix, finally... Jake Luck (Nov 10)
    - Re: SunOS syslog() fix, finally... Casper Dik (Nov 13)
    - Re: SunOS syslog() fix, finally... Brett Lymn (Nov 13)
    - ufsrestore suid root not a security hole Sean Vickery (Nov 16)
    - Re: SunOS syslog() fix, finally... Casper Dik (Nov 17)
    - SGI Security Advisory 19951101 - telnetd SGI Security Coordinator (Nov 17)
    - SGI Security Advisory 19951101 - telnetd : UPDATE SGI Security Coordinator (Nov 17)
    - Re: SunOS syslog() fix, finally... Pug (Nov 10)
    - Turning dynamic into static? Lawrence R. Rogers (Nov 09)
- Re: Telnet attack on SGI Adam Shostack (Nov 02)
- Does the shared lib bug work on any suid program ? Bernd Lehle (Nov 03)
  - Re: Does the shared lib bug work on any suid program ? Fred Blonder (Nov 03)
  - Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
  - Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)
- a point is being missed *Hobbit* (Nov 03)
  - Re: a point is being missed Scott Barman (Nov 03)
  - Re: a point is being missed John Stewart (Nov 03)
  - Re: a point is being missed Douglas Siebert (Nov 03)
    - Re: a point is being missed Richard Todd (Nov 04)
  - Re: a point is being missed Casper Dik (Nov 04)
- Re: Telnet attack on SGI Edwin Kremer (Nov 09)

(Thread continues...)