[16743] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Doug Hughes)
Wed Sep 13 12:36:31 2000
Message-Id: <200009131509.KAA09328@galen.eng.auburn.edu>
Date: Wed, 13 Sep 2000 10:09:58 -0500
Reply-To: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
From: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.
/*
* This program provided AS IS with no warranty
* Copyright 2000, doug@eng.auburn.edu
* Use freely.
* The environment from the original program is completely obliviated
*/
#include <stdio.h>
#include <stdlib.h>
main (int argc, char *argv[]) {
char *origfile;
char *envp[1] = { (char *) NULL };
if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
perror("allocating memory");
exit(1);
}
strcpy(origfile, argv[0]);
strcat(origfile, ".orig");
execve(origfile, argv, envp);
}
Here's a simplistic shell command (with Perl) to replace all the
setuid binaries by renaming them to $file.orig and then copy the wrapper
into place and set the appropriate permissions on the wrapper and the
.orig binary.
#!/bin/sh
find / -local -perm -4111 -print | /opt/local/bin/perl5 -ne 'chomp(); ($dev, $ino, $mode, $nlink, $uid, $gid) = stat($_); rename "$_", "$_.orig"; system("cp /path/to/compiled/wrapper $_"); chmod $mode, $_; chmod 0111, "$_.orig"; chown $uid, $gid, $_;'
### Caveats ###
This will not work with programs like ps that, on different architectures,
are themselves wrappers around other programs (e.g. on 64 bit Solaris7/8
calls /usr/bin/sparcv9/ps) because argv[0] is still the original program.
So, /usr/bin/ps calls /usr/bin/sparcv9/ps (the setuid program wrapper)
which checks argv and then calls /usr/bin/ps.orig which doesn't exist.
Those will have to be handled on a case by case basis.
Doug Hughes Engineering Network Services
doug@eng.auburn.edu Auburn University
