Re: 1 Suid-Writeable Root Owned File...Easy Compromise?

[Ralph Moonen <ralph () TINK ORG>]

At 20:05 26-10-00 -0400, Barry Russell wrote:
> While messing around with a big web hosting company Sun OS system I came
> across one(well actually two but too much messing around got that file
> deleted) and the file was owned root, suid and writeable by all.
>
> $ ls -la xu_chown
> -rwsrwxrwx   1 root     root        xxxxxx Oct ?? ??:?? xu_chown
> (variables changed to protect the innocent)
>
> The file is a binary file, so after a little more messing around and
> talking with a few people I was able to construct a perl script that
> carries the source of one binary to that file so that the permissions
> would stay the same. Well I did a little bit of playing around with no way
> of taking 'advantage' of this file. I was wondering since its
> root/suid/writeable was there anyway to exploit this ? This file might
> also be the same way on other Sun systems but I have yet to check and see.

As far as I know, it's not exploitable in a quick way, because while the
permission stays the same, as soon
you modify the file, the ownership changes to you.

Of course you can run it in a debugger and it will retain the
suid characteristics, meaning that you can manipulate the stack and
variables directly (as root) and take advantage like that.

--Ralph