Bugtraq mailing list archives

Re: libresolv+ bug

From: Don.Lewis () tsc tdk com (Don Lewis)
Date: Tue, 20 Aug 1996 14:53:45 -0700


On Aug 20,  9:25am, Alan Cox wrote:
} Subject: Re: libresolv+ bug
} > Well, if the text segment is read-only, that makes it rather difficult
} > to patch the binary.  But if the binary has privilege to go setuid,
}
} No no no, this is a perpetual fiction item I keep meeting. If its
} not being setuid at the time you can use ptrace() to patch it. You can
} use mprotect to change the protection of the C library image (its COW
} so it doesnt hurt others). Your code space is not some mythical sanctuary.

Ooh, could this be *another* hole?  You carefully write your code to
give up privileges except when they are absolutely needed, but then
Mr. Bad Guy attaches to the process when it's in the unprivileged state and
patches the text to seteuid(0) and exec("/bin/sh").

I sure hope there is no way to attach a process unless it has permanently
renounced privileges.

                        ---  Truck

Current thread:

Re: libresolv+ bug, (continued)
- - Re: libresolv+ bug Thomas Ptacek (Aug 20)
    - Re: libresolv+ bug Julian Assange (Aug 21)
- Re: libresolv+ bug John Nemeth (Aug 20)
- Re: libresolv+ bug Andi Gutmans (Aug 20)
  - Re: libresolv+ bug Jon Lewis (Aug 20)
    - Re: libresolv+ bug Elliot Lee (Aug 20)
  - Re: libresolv+ bug Nick Andrew (Aug 20)
    - Re: libresolv+ bug Jon Lewis (Aug 20)
  - SigSev -> Security Hole Tim Smithers (Aug 20)
    - Re: SigSev -> Security Hole Brian Mitchell (Aug 20)
- Re: libresolv+ bug Don Lewis (Aug 20)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
  - Re: libresolv+ bug Julian Assange (Aug 21)
  - Re: libresolv+ bug Thomas Ptacek (Aug 21)
    - Re: libresolv+ bug Nick Andrew (Aug 22)
    - Re: libresolv+ bug John Macdonald (Aug 22)
    - Re: libresolv+ bug David Holland (Aug 22)
    - Re: libresolv+ bug Zygo Blaxell (Aug 22)
- Re: libresolv+ bug Mikolaj J. Habryn (Aug 23)