[11330] in bugtraq
profil(2) bug, a simple test program
daemon@ATHENA.MIT.EDU (Ross Harvey)
Tue Aug 10 05:24:20 1999
Message-Id: <199908091118.EAA28980@elbe.ghs.com>
Date: Mon, 9 Aug 1999 04:18:36 -0700
Reply-To: Ross Harvey <ross@GHS.COM>
From: Ross Harvey <ross@GHS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This program will check to see if a given system has the profil(2) bug
described in NetBSD Security Advisory 1999-011. If it prints `Counting!'
then you've got it...
At least one system (Solaris) appears to fix the security issue but
doesn't turn off profiling unless the new image is owned by a different
user. To check for this, you need to do something like:
% cc profiltest.c
% su
# mv a.out prog.setuid
# chown (something) prog.setuid
# (possibly make it setuid)
# exit
% ./a.out
If the program doesn't find prog.setuid, it just exec's itself; this
gets the same result on most systems. (So: % cc profiltest.c; ./a.out)
So far, I've only found it in BSD systems. Linux hasn't had profiling
in the kernel for a while, so current versions should not be vulnerable.
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
volatile unsigned short twobins[2];
int
main(int ac, char **av)
{
if (ac == 1) {
/* can't check the return value; on some systems it's void */
profil((char *)twobins, sizeof twobins, (u_long)&main, 2);
/* try a different image for uid/setuid tests */
execl("prog.setuid", "tryroot", "-", 0);
/* otherwise, just chain to ourself */
execl(av[0], av[0], "-", 0);
fprintf(stderr, "problems\n");
exit(1);
}
for(;;) {
if (twobins[0] | twobins[1]) {
printf("Counting!\n");
twobins[0] = twobins[1] = 0;
}
}
}
/* ross.harvey@computer.org */
