Re: Local suid files and buffer overflows

[Joachim Schipper <j.schipper () math uu nl>]

On Sun, Oct 09, 2005 at 01:17:39AM +0200, Werner Schalk wrote:
> Hi, 
>  
> first of all apologies for asking such a newbie question but I am trying 
> to learn how to exploit buffer overflows and therefore wrote a little 
> program to exploit. This little program has the following permissions: 
>  
> $ ls -la test1 
> -rwsr-sr-x  1 root root 17164 Oct  8 01:25 test1 
>  
> Now I exploited it using Aleph One's shellcode (see  
> http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID 
> shell afterwards (I know the exploit did work but I still have my normal 
> user privleges). Why? I have tried a different shellcode to write a file 
> and this file was root:root. Any ideas, hints, rtfm? 
>  
> Thank you. 
>  
> Best regards, 
> Werner. 

Try the following:

# mount
<snippity>
/dev/hdb2 on /home type ext3 (rw,nosuid,nodev)
<snippity>

nosuid means that suid binaries lose their special properties here.
See mount(8). As you just proved, it's not completely useless.

As an additional exercise, bypass the nosuid mount option. Or just copy
it somewhere without nosuid.

(There are many, many other ways this behaviour could have happened, but
this one sounds most likely...)

                Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/