Bugtraq mailing list archives
Re: system() call in suid programs
From: Valdis.Kletnieks () vt edu (Valdis.Kletnieks () vt edu)
Date: Fri, 14 Jun 1996 12:31:53 -0400
--===_-1_Fri_Jun_14_12:31:51_EDT_1996 Content-Type: text/plain; charset=us-ascii On Fri, 14 Jun 1996 10:18:35, you said:
I know that it is bad to use the system() system call in programs, especially ones that are suid root, and that it can be exploited fairly easily. Could somebody post or send me details how exploits based on the system() call work? Detail would be good, as I am supposed to explain the security implications to my boss at our next meeting.
The basic problem with using system() is that it basically does the following: fork(); exec("/bin/sh","-c","your argumetn string here"); The problem is that it is just TOO EASY to break this. For instance, let's say your program includes a system("/bin/date"): Look secure? Sure - how can you exploit /bin/date? ;) Well.. How about this: 1) The attacker puts '.' in his path (usually not recommended for just this reason, you dont wanna have this happen accidentally ;) 2) Attacker sets IFS=/ 3) Attacker runs your program.. Program launches a shell. 4) The shell is handed the string "/bin/date". It looks at IFS to decide how to parse it into words. Well.. we word-break on /. So we have 2 words, "bin" and "date". 5) The shell decides this means the user wanted to run a program 'bin' with a parameter 'date'. 6) It waltzes down the PATH variable.. and in '.', we find a shell script called 'bin' that has in it: cp /bin/sh /tmp/.my_setuid_backdoor chown root /tmp/.my_setuid_backdoor chmod 6555 /tmp/.my_setuid_backdoor So it runs it. Now the attacker has a set-uid shell he can use to get root any time he wants. In addition, almost any of the OTHER known ways to attack set-uid shell scripts (race conditions with symlinks, odd settings of the SHELL environment variable, etc ad nauseum) will also work against calls to system(). The worst part is that coding the fork/exec *yourself* takes only 5-6 lines more, and you can shut down almost all of these attacks. -- Valdis Kletnieks Computer Systems Engineer Virginia Tech --===_-1_Fri_Jun_14_12:31:51_EDT_1996 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.1 iQCVAwUBMcGT9tQBOOoptg9JAQFdugP9EaDd8GBTXbk9lWPLf4o+ZFavbaGWp5Kt p7mKAvpBArOLf/rdusUZJfD/9Ex8tK31C0FD+8aDjgE9/7uqe/egSW9+aztLhM6E rnQqkVK7PQGUYkUH1mH29dFnkHG3xCV4CXaqrNrto0dGNvK0T7kOhsRSx3HrLgvQ HB90LVfsBVo= =bZoX -----END PGP MESSAGE----- --===_-1_Fri_Jun_14_12:31:51_EDT_1996--
Current thread:
- [linux-security] Big security hole in kerneld's request_route Igor Chudov @ home (Jun 13)
- system() call in suid programs Not Joe (Jan 03)
- Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
- Re: system() call in suid programs Max Hailperin (Jun 14)
- Publically writable directories Thomas Koenig (Jun 16)
- Re: Publically writable directories Neil Soveran-Charley (Jun 16)
- Re: Publically writable directories Brian Mitchell (Jun 17)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: Publically writable directories Bill Pemberton (Jun 18)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
- system() call in suid programs Not Joe (Jan 03)
- Re: Publically writable directories Bill Pemberton (Jun 17)
- Re: Publically writable directories David DeSimone (Jun 17)
- Re: Publically writable directories Valdis.Kletnieks () vt edu (Jun 17)