Bugtraq mailing list archives
SMASHING THE STACK: PREVENTION?
From: massimo () VNET IBM COM (massimo at vnet.ibm.com)
Date: Mon, 28 Apr 1997 13:45:32 UTC
-------- What about a sort of "execXXX-wrapper"? Instead of patching the kernel, I wonder whether it make sense to patch the C library (libc.a). In each routine of the exec family (execvp, execl, execve...) one could add something like: if(real_user_id==effective_user_id || /* standard case */ (real_user_id && effective_user_id) || /* switching between two users */ (real_user_id==0 && effective_user_id==0) || /* it is root: no problem */ (real_user_id==0 && effective_user_id))) { /* it is root: no problem */ go ahead with no further check; /* no problem */ } else { if(real_user_id && effective_user_id==0) { /* this could be an exploit */ double_check before execXXX execution... } else { fprintf(stderr,"Something is really wrong!!!\n"); } } For all I know there are very few SUID 0 programs which invoke execXXX routines to spawn a shell. Getty is probably the only significant SUID program which starts a shell, so it should be pretty easy to introduce additional checks: for instance if the SUID program tries to exec any of the shells: csh, bash, ksh,...., just returns an error and logs the real_user_id somewhere. Any comment? -------------- Massimo Bernaschi --------------------- | IBM Semea | e-mail: massimo () vnet ibm com | | via Shanghai 53 | phone: +39 6 59665316 | | 00144 Roma - ITALY | fax: +39 6 59665084 | ------------------------------------------------------
Current thread:
- Smashing the Stack: prevention? nate (Apr 27)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Russell Coker (Apr 28)
- Possibly exploitable buffer overflow in Solaris 2.5.1 ps Joe Zbiciak (Apr 28)
- Re: Possibly exploitable buffer overflow in Solaris 2.5.1 ps Geoffrey KEATING (Apr 29)
- Digital UNIX/Irix mesg problem Tom Leffingwell (Apr 29)
- Re: Digital UNIX/Irix mesg problem John Sheehy (Apr 29)
- Access control on W3C httpd server Peter Lord (Apr 30)
- vulnerabilities in kerberos David Sacerdote (Apr 29)
- Sun Security Bulletin #00139 Sun Security Coordination Team (Apr 29)
- SMASHING THE STACK: PREVENTION? massimo at vnet.ibm.com (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Alex Belits (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Thomas H. Ptacek (Apr 29)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 27)
- Re: Smashing the Stack: prevention? Tim Newsham (Apr 27)
- Re: Smashing the Stack: prevention? Joe Zbiciak (Apr 28)
- Re: Smashing the Stack: prevention? Daniel Ryde (Apr 28)
- xlock clarification.... David Hedley (Apr 28)
- Re: Smashing the Stack: prevention? Steve Coleman - SEWP (Apr 28)
- Re: Smashing the Stack: prevention? Alexander Snarskii (Apr 28)
- Re: Smashing the Stack: prevention? Michael Shields (Apr 28)
- Re: Smashing the Stack: prevention? Theo de Raadt (Apr 28)