Bugtraq mailing list archives

Re: Format String Attacks

From: Rick Perry <perry () NEWS VILL EDU>
Date: Wed, 13 Sep 2000 14:42:27 -0400

Doug Hughes <Doug.Hughes () eng auburn edu> writes:

Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.

/*
* This program provided AS IS with no warranty
* Copyright 2000, doug () eng auburn edu
* Use freely.
* The environment from the original program is completely obliviated
*/


I found that completely obliviating the environment prevents one from
logging in using CDE in Solaris 7; actually, if you just truncate all
env strings to 128 bytes it prevents CDE login apparently because
there are some necessary long env strings.  The ones I leave alone
are:

#define MAX_LENGTH 128

/* environment variables which we allow to exceed MAX_LENGTH */

char *longenv[] = {
  "DTAPPSEARCHPATH=",
  "DTDATABASESEARCHPATH=",
  "DTHELPSEARCHPATH=",
  "DTSCREENSAVERLIST=",
  "MANPATH=",
  "NLSPATH=",
  "PATH=",
  "TERMCAP=",
  "XFILESEARCHPATH=",
  "XMICONBMSEARCHPATH=",
  "XMICONSEARCHPATH=",
  NULL
};

I know that NLSPATH is in my list above, but having it set long doesn't seem to
be part of the recent exploits.

#include <stdio.h>
#include <stdlib.h>


main (int argc, char *argv[]) {

      char *origfile;
      char *envp[1] = { (char *) NULL };

      if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {


If this wrapper is setuid, using argv[0] doesn't seem safe.  One could
do something like this: cp /bin/sh sh.orig; ln -s path_to_wrapper sh; ./sh
and get a shell under that uid.

What I do instead is something like: execv( ORIG, argv);
where ORIG is #define'd separately (gcc -DORIG=\"/bin/something.orig\") for each
setuid program being wrapped, i.e. each wrapper has a hard-coded string for
the .orig program to execute, and each .orig has its own wrapper.

              perror("allocating memory");
              exit(1);
      }
      strcpy(origfile, argv[0]);
      strcat(origfile, ".orig");

      execve(origfile, argv, envp);
}

...


...Rick  perry () ece villanova edu, http://www.ece.villanova.edu/~perry/ [PGP]

Current thread:

Re: Format String Attacks, (continued)
- - - Re: Format String Attacks Casper Dik (Sep 15)
  - Re: Format String Attacks Pavel Kankovsky (Sep 14)
  - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 15)
    - Re: Format String Attacks Dan Harkless (Sep 17)
  - Re: Format String Attacks Drazen Kacar (Sep 14)
    - Re: Format String Attacks Dan Harkless (Sep 14)
  - Re: Format String Attacks Serguei Patchkovskii (Sep 14)
- Re: Format String Attacks Rick Perry (Sep 14)
- Re: Format String Attacks Ajax (Sep 21)
  - Re: Format String Attacks Nate Eldredge (Sep 21)
  - Re: Format String Attacks Matthias Meixner (Sep 22)
  - Re: Format String Attacks jsl2 (Sep 22)
    - Re: Format String Attacks Ajax (Sep 25)