[10122] in bugtraq
Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight
daemon@ATHENA.MIT.EDU (Viktor Fougstedt)
Wed Apr 7 14:52:32 1999
Date: Wed, 7 Apr 1999 20:00:33 +0200
Reply-To: Viktor Fougstedt <viktor@DTEK.CHALMERS.SE>
From: Viktor Fougstedt <viktor@DTEK.CHALMERS.SE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.1.32.19990406195725.00718e68@telesun2.telemation.de>
On Tue, 6 Apr 1999, Stefan Rompf wrote:
> >Exploited overflow in ipop3d could be used to gain superuser access (the
> >only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).
>
> Fortunately, you are wrong here. Quoting from the Solaris' setuid() manpage:
>
> If the effective user ID of the process calling setuid() is
> the super-user, the real, effective, and saved user IDs are
> set to the uid parameter.
You make an important point.
In fact I have several times seen the opposite problem to what which
the original poster suggested. Some programs running setuid root only
does a seteuid(), which does not touch the saved-user-id. The
programmers have done this in the belief that it drops all root
priviledges (the programs did not need to re-aquire priviledges at a
later time, and the comments in the code suggested that the call's
intention was to get rid of all priviledges).
These programs should probably do a setuid() instead, which affects
saved-user-id as well.
This problem isn't huge, you might say, because whenever you do a
fork() or similar, the saved-user-id should be reset. But if you can
take control of the application via a buffer overflow or the like, and
saved-user-id is root then you have no problem of getting the root
priviledges back before doing a fork().
Just my $.02 worth.
/Viktor...
--| Viktor Fougstedt, system administrator at dtek.chalmers.se |--
--| http://www.dtek.chalmers.se/~viktor/ |--
--| ...soon we'll be sliding down the razor blade of life. /Tom Lehrer |--
