Bugtraq mailing list archives
Re: Format String Attacks
From: Rick Perry <perry () NEWS VILL EDU>
Date: Wed, 13 Sep 2000 14:42:27 -0400
Doug Hughes <Doug.Hughes () eng auburn edu> writes:
Since I don't recall anybody else posting one, here is a simple, generic, setuid wrapper that people could use around, for instance, /usr/bin/eject or other setuid programs. /* * This program provided AS IS with no warranty * Copyright 2000, doug () eng auburn edu * Use freely. * The environment from the original program is completely obliviated */
I found that completely obliviating the environment prevents one from logging in using CDE in Solaris 7; actually, if you just truncate all env strings to 128 bytes it prevents CDE login apparently because there are some necessary long env strings. The ones I leave alone are: #define MAX_LENGTH 128 /* environment variables which we allow to exceed MAX_LENGTH */ char *longenv[] = { "DTAPPSEARCHPATH=", "DTDATABASESEARCHPATH=", "DTHELPSEARCHPATH=", "DTSCREENSAVERLIST=", "MANPATH=", "NLSPATH=", "PATH=", "TERMCAP=", "XFILESEARCHPATH=", "XMICONBMSEARCHPATH=", "XMICONSEARCHPATH=", NULL }; I know that NLSPATH is in my list above, but having it set long doesn't seem to be part of the recent exploits.
#include <stdio.h> #include <stdlib.h> main (int argc, char *argv[]) { char *origfile; char *envp[1] = { (char *) NULL }; if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
If this wrapper is setuid, using argv[0] doesn't seem safe. One could do something like this: cp /bin/sh sh.orig; ln -s path_to_wrapper sh; ./sh and get a shell under that uid. What I do instead is something like: execv( ORIG, argv); where ORIG is #define'd separately (gcc -DORIG=\"/bin/something.orig\") for each setuid program being wrapped, i.e. each wrapper has a hard-coded string for the .orig program to execute, and each .orig has its own wrapper.
perror("allocating memory"); exit(1); } strcpy(origfile, argv[0]); strcat(origfile, ".orig");
execve(origfile, argv, envp); }
... ...Rick perry () ece villanova edu, http://www.ece.villanova.edu/~perry/ [PGP]
Current thread:
- Re: Format String Attacks, (continued)
- Re: Format String Attacks Casper Dik (Sep 15)
- Re: Format String Attacks Pavel Kankovsky (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 15)
- Re: Format String Attacks Dan Harkless (Sep 17)
- Re: Format String Attacks Drazen Kacar (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Serguei Patchkovskii (Sep 14)
- Re: Format String Attacks Nate Eldredge (Sep 21)
- Re: Format String Attacks Matthias Meixner (Sep 22)
- Re: Format String Attacks jsl2 (Sep 22)
- Re: Format String Attacks Ajax (Sep 25)