[16778] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Serguei Patchkovskii)
Thu Sep 14 18:46:42 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.A41.4.10.10009131134170.61542-100000@acs1.acs.ucalgary.ca>
Date: Wed, 13 Sep 2000 11:38:43 -0600
Reply-To: Serguei Patchkovskii <patchkov@UCALGARY.CA>
From: Serguei Patchkovskii <patchkov@UCALGARY.CA>
X-To: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200009131509.KAA09328@galen.eng.auburn.edu>
On Wed, 13 Sep 2000, Doug Hughes wrote:
> Since I don't recall anybody else posting one, here is a simple, generic,
> setuid wrapper that people could use around, for instance, /usr/bin/eject
> or other setuid programs.
Yeah, it will certainly make it unnecessary to go through the bother of
exploiting any of the format string bugs. However, it is quite unlikely
to make your systems any safer:
#include <unistd.h>
int
main( int argc, char *argv[] )
{
execl( argv[1], "./gotcha", NULL ) ;
}
> #include <stdio.h>
> #include <stdlib.h>
>
>
> main (int argc, char *argv[]) {
>
> char *origfile;
> char *envp[1] = { (char *) NULL };
>
> if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
> perror("allocating memory");
> exit(1);
> }
> strcpy(origfile, argv[0]);
> strcat(origfile, ".orig");
>
> execve(origfile, argv, envp);
> }
---
Home page: http://www.cobalt.chem.ucalgary.ca/ps/
