Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

profil(2) bug, a simple test program

From: ross () GHS COM (Ross Harvey)
Date: Mon, 9 Aug 1999 04:18:36 -0700

This program will check to see if a given system has the profil(2) bug
described in NetBSD Security Advisory 1999-011.  If it prints `Counting!'
then you've got it...

At least one system (Solaris) appears to fix the security issue but
doesn't turn off profiling unless the new image is owned by a different
user. To check for this, you need to do something like:

        % cc profiltest.c
        % su
        # mv a.out prog.setuid
        # chown (something) prog.setuid
        # (possibly make it setuid)
        # exit
        % ./a.out

If the program doesn't find prog.setuid, it just exec's itself; this
gets the same result on most systems.  (So: % cc profiltest.c; ./a.out)

So far, I've only found it in BSD systems. Linux hasn't had profiling
in the kernel for a while, so current versions should not be vulnerable.

#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>

volatile unsigned short twobins[2];

int
main(int ac, char **av)
{

        if (ac == 1) {
                /* can't check the return value; on some systems it's void */
                profil((char *)twobins, sizeof twobins, (u_long)&main, 2);
                /* try a different image for uid/setuid tests */
                execl("prog.setuid", "tryroot", "-", 0);
                /* otherwise, just chain to ourself */
                execl(av[0], av[0], "-", 0);
                fprintf(stderr, "problems\n");
                exit(1);
        }
        for(;;) {
                if (twobins[0] | twobins[1]) {
                        printf("Counting!\n");
                        twobins[0] = twobins[1] = 0;
                }
        }
}

        /* ross.harvey () computer org */
Previous By Date Next
Previous By Thread Next

Current thread: