[4360] in bugtraq
SMASHING THE STACK: PREVENTION?
daemon@ATHENA.MIT.EDU (massimo at vnet.ibm.com (+39 (6) 5)
Mon Apr 28 19:54:45 1997
Date: Mon, 28 Apr 1997 13:45:32 UTC
Reply-To: "massimo at vnet.ibm.com (+39 (6) 5966.5316)" <massimo@VNET.IBM.COM>
From: "massimo at vnet.ibm.com (+39 (6) 5966.5316)" <massimo@VNET.IBM.COM>
To: BUGTRAQ@NETSPACE.ORG
--------
What about a sort of "execXXX-wrapper"? Instead of patching the kernel,
I wonder whether it make sense to patch the C library (libc.a). In each
routine of the exec family (execvp, execl, execve...) one could add something
like:
if(real_user_id==effective_user_id || /* standard case */
(real_user_id && effective_user_id) || /* switching between two users */
(real_user_id==0 && effective_user_id==0) || /* it is root: no problem */
(real_user_id==0 && effective_user_id))) { /* it is root: no problem */
go ahead with no further check; /* no problem */
} else {
if(real_user_id && effective_user_id==0) { /* this could be an exploit */
double_check before execXXX execution...
} else {
fprintf(stderr,"Something is really wrong!!!\n");
}
}
For all I know there are very few SUID 0 programs which invoke execXXX
routines to spawn a shell. Getty is probably the only significant SUID program
which starts a shell, so it should be pretty easy to introduce additional
checks: for instance if the SUID program tries to exec any of the shells: csh,
bash, ksh,...., just returns an error and logs the real_user_id somewhere.
Any comment?
-------------- Massimo Bernaschi ---------------------
| IBM Semea | e-mail: massimo@vnet.ibm.com |
| via Shanghai 53 | phone: +39 6 59665316 |
| 00144 Roma - ITALY | fax: +39 6 59665084 |
------------------------------------------------------
