Bugtraq mailing list archives
Re: Does the shared lib bug work on any suid program ?
From: jmason () iona ie (Justin Mason)
Date: Mon, 6 Nov 1995 15:30:51 +0000
Bernd Lehle said:
- Choose any suid program, that uses a library call, You know the name - example: su calls crypt(3) - take the library that contains crypt and delete crypt from it - add a crypt function that does exec(sh) - rebuild the shared library with the new cypt - set the shared library path to Your home - su Right after the Password was typed in, You should have a root shell... This game could be played with any suid program, where You know what routines it calls.
Most reasonably sane operating systems will ignore the shared library search path when executing setuid programs, relying instead on the builtin default (eg /usr/lib). That takes care of the problem you mention, and this behaviour is built into the kernel. All well and good, except when a program is run as root with your environment; then the above restriction doesn't come into effect. Usually this happens as a result of being exec'd by a setuid-root program (see the 8glm "at" hole) or as a result of something more unusual such as this telnetd thing. By the way, an addendum to ckd's patch: Adam Shostack mentioned LANG as another useful env var to propagate, along with TZ, USER, TERM, DISPLAY and TERMCAP. --j.
Current thread:
- ufsrestore suid root not a security hole, (continued)
- ufsrestore suid root not a security hole Sean Vickery (Nov 16)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 17)
- SGI Security Advisory 19951101 - telnetd SGI Security Coordinator (Nov 17)
- SGI Security Advisory 19951101 - telnetd : UPDATE SGI Security Coordinator (Nov 17)
- Re: SunOS syslog() fix, finally... Pug (Nov 10)
- Turning dynamic into static? Lawrence R. Rogers (Nov 09)
- Re: Telnet attack on SGI Adam Shostack (Nov 02)
- Does the shared lib bug work on any suid program ? Bernd Lehle (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Fred Blonder (Nov 03)
- Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)
- a point is being missed *Hobbit* (Nov 03)
- Re: a point is being missed Scott Barman (Nov 03)
- Re: a point is being missed John Stewart (Nov 03)
- Re: a point is being missed Douglas Siebert (Nov 03)
- Re: a point is being missed Richard Todd (Nov 04)
- Re: a point is being missed Casper Dik (Nov 04)
- Re: Telnet attack on SGI Edwin Kremer (Nov 09)
- Re: Telnet attack on SGI Edwin Kremer (Nov 10)
- Re: Telnet attack on SGI Sam Hartman (Nov 01)
- Re: Telnet attack on SGI Casper Dik (Nov 06)
(Thread continues...)