Bugtraq mailing list archives
Re: system() call in suid programs
From: Kari.Hurtta () dionysos fmi fi (Kari E. Hurtta)
Date: Fri, 14 Jun 1996 20:25:48 +0300
Not Joe kirjoittaa:
Hello, I know that it is bad to use the system() system call in programs, especially ones that are suid root, and that it can be exploited fairly easily. Could somebody post or send me details how exploits based on the system() call work? Detail would be good, as I am supposed to explain the security implications to my boss at our next meeting.
system(char *str) does following:
fork()s
exec()s '/bin/sh' with argument's '-c' and str
This means:
- All shell's metacharacters are in effect:
; $ \ & ' " [ ] ( ) { } :
> For example if your code is
sprintf(buffer,"telnet %s",host);
system(command);
* Consider what happens if 'host' is:
badname; rm -rf /
- Shells follows environment variables such as
PATH and IFS
* Consider what happens if user
adds '.' to begin of patch and
put script with name 'telnet' to
default directory:
#!/bin/sh
cp /bin/sh my_suid_shell
chmod u+s my_suid_shell
And calls your suid program
* Consider what happens if your code is
sprintf(buffer,"/usr/bin/telnet %s",host);
system(command)
And user adds '/tmp' to $PATH and sets $IFS to " /"
and put script with name 'usr' to
/tmp
And calls your suid program.
Current thread:
- Publically writable directories, (continued)
- Publically writable directories Thomas Koenig (Jun 16)
- Re: Publically writable directories Neil Soveran-Charley (Jun 16)
- Re: Publically writable directories Brian Mitchell (Jun 17)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: Publically writable directories Bill Pemberton (Jun 18)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: Publically writable directories Bill Pemberton (Jun 17)
- Re: Publically writable directories David DeSimone (Jun 17)
- Re: Publically writable directories Valdis.Kletnieks () vt edu (Jun 17)
- Re: Publically writable directories Michael Dilger (Jun 17)