[25240] in bugtraq
Re: trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio)
daemon@ATHENA.MIT.EDU (Wietse Venema)
Wed Apr 24 15:23:10 2002
To: bugtraq@securityfocus.com
Date: Wed, 24 Apr 2002 14:17:30 -0400 (EDT)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20020424181730.C121FBC073@spike.porcupine.org>
From: wietse@porcupine.org (Wietse Venema)
It is interesting to see that old problems with set-uid commands
keep coming back. Allow me to speed up the discussion a bit by
enumerating a few other channels for attack on set-uid commands.
A quick perusal of /usr/include/sys/proc.h reveals a large number
of "inputs" that a child process may inherit from a potentially
untrusted parent process.
The list includes, but is not limited to:
command-line array
environment array
open files
current directory
blocked/enabled signals
pending timers
resource limits
scheduling priority
All these sources of data can be, and have been, involved in attacks
on set-uid or set-gid commands (although I do not remember specific
details of pending timer attacks).
In addition to these "inheritance" attacks which are specific to
set-uid and set-gid commands, set-uid and set-gid commands can be
exposed to attacks via the /proc interface, and can be exposed to
ordinary data-driven attacks by feeding them nasty inputs.
Thus, set-uid and set-gid commands are exposed to a lot more attack
types than your average network service. The reason that network
attacks get more attention is simply that are more opportunities
to exploit them.
Wietse
