[16776] in bugtraq
(fwd) Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Doug Hughes)
Thu Sep 14 18:36:10 2000
Message-ID: <doug-1000913130545.AA116655@netman>
Date: Wed, 13 Sep 2000 13:05:45 -0500
Reply-To: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
From: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Multiple replies:
>From: Phil Pennock <Phil.Pennock@globnix.org>
>On 2000-09-13 at 10:09 -0500, Doug Hughes gifted us with:
>> strcpy(origfile, argv[0]);
>> strcat(origfile, ".orig");
>>
>> execve(origfile, argv, envp);
>
>That execve() line should give the clue. The executable name does not
>need to match argv.
Naturally. As I said, it is very simplistic. That's just
a quick and easy way to give an almost universal wrapper.
The complication occurs only when the setuid program calls
another program while keeping the original argv[0].
I didn't spend a lot of time thinking of a universal
alternative. If anybody want to contribute an alternative
that can replace any binary without hard-coding, please
be my guest. I thought a 95% solution was better than
nothing.
>From: Dan Astoorian <djast@cs.toronto.edu>
>
>On Wed, 13 Sep 2000 11:09:58 EDT, Doug Hughes writes:
>> Since I don't recall anybody else posting one, here is a simple, generic,
>> setuid wrapper that people could use around, for instance, /usr/bin/eject
>> or other setuid programs.
>
>[...]
>
>> if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
>> perror("allocating memory");
>> exit(1);
>> }
>
>Note that perror() itself may perform localization on some platforms and
>under some circumstances (e.g., if compiled with -lintl under Solaris).
>
>I don't know whether it's exploitable in practice, but it appears to me
>as though this wrapper could suffer, at least theoretically, from the
>same weakness as the programs it's trying to protect.
>
True.. possibly with enough effort. So, replace it with puts.
As I said, this wrapper is very very simplistic. It
doesn't do a lot. But good catch. Old habits die hard.
------
Most importantly:
>From: Serguei Patchkovskii <patchkov@ucalgary.ca>
>Yeah, it will certainly make it unnecessary to go through the bother of
>exploiting any of the format string bugs. However, it is quite unlikely
>to make your systems any safer:
>
>#include <unistd.h>
>
>int
>main( int argc, char *argv[] )
>{
>execl( argv[1], "./gotcha", NULL ) ;
>}
Oof!
Yes, I was looking for a quick fix. Without internal knowledge it
would work too. But as soon as somebody realizes it's based
upon argv, ouch. So, anyway, the moral is there isn't really
a quick fix and you probably want to hard code
the pathname. You could also just setup execve with a fixed
dummy string and then do a sed/replace loop in perl to
replace the setuid with wrappers as in the original.
Here's a template people can use:
main (int argc, char *argv[]) {
char *origfile="/put/the/path/here";
char *envp[1] = { (char *) NULL };
execve (origfile, ++argv, envp);
}
--
Doug "I got spanked on Bugtraq" Hughes
