[3249] in bugtraq
Re: libresolv+ bug
daemon@ATHENA.MIT.EDU (Nick Andrew)
Thu Aug 22 14:06:46 1996
Date: Thu, 22 Aug 1996 22:56:57 +1000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Nick Andrew <nick@zeta.org.au>
X-To: tqbf@enteract.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199608220521.AAA27040@enteract.com> from "Thomas Ptacek" at Aug
22, 96 00:21:50 am
Forwarding a message from Thomas Ptacek:
> The primary problem, as I see it, is not that SUID programs are being
> written poorly, or that the sensitivity of SUID programs is not being
> adequately dealt with by the operating system, or the compilers that
> produce the executable code; it's that SUID programs, as present in most
> modern Unix operating systems, are being written at all.
The problems are orthogonal. Poorly written programs can still be
exploited through buffer overflows, stack corruption and the like.
The only difference is - if the program has no additional privileges
then the program can do nothing which the intruder couldn't do anyway.
The exceptions are if the program is running as a different user (e.g.
root) or group, or is running on a machine (or in an environment) in
which the intruder does not have privilege to execute code.
However, as soon as _any_ additional privilege is granted, the
same old vulnerabilities come back to haunt us. Additional privilege
implies that an intruder could abuse that privilege. It hurts so much
because "additional privilege" usually means root access.
> Beyond that, no Unix OS I know of allows admins or programmers to reliably
> specify privileges in anything more than an "all or none" fashion - if
> your program needs permissions to write to /etc/passwd, you need to let it
> run /bin/sh and write to /root/.rhosts as well.
/etc/passwd could be given group write permission - but then, once a program
_can_ write /etc/passwd it can pretty-much subvert the rest of the system to
its own ends without any trouble.
> I think it's been
> adequately demonstrated to us that the POSIX saved credentials solution
> insufficiently addresses the potential for subversion most SUID programs
> have.
I think it protects the filesystem - or rather, it protects against
filesystem-based attacks. No such protection against code subversion.
Nick.
--
Kralizec Dialup Internet System Data: +61-2-9837-1183, 9837-1868
Zeta Microcomputer Software Fax: +61-2-9837-3753 Voice: 9837-1397
P.O. Box 177, Riverstone NSW 2765 http://www.kralizec.net.au/
