[16779] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Rick Perry)
Thu Sep 14 18:50:34 2000
Message-ID: <8pohqj$aiu@ftp.ee.vill.edu>
Date: Wed, 13 Sep 2000 14:42:27 -0400
Reply-To: Rick Perry <perry@NEWS.VILL.EDU>
From: Rick Perry <perry@NEWS.VILL.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Doug Hughes <Doug.Hughes@eng.auburn.edu> writes:
>Since I don't recall anybody else posting one, here is a simple, generic,
>setuid wrapper that people could use around, for instance, /usr/bin/eject
>or other setuid programs.
>
>/*
> * This program provided AS IS with no warranty
> * Copyright 2000, doug@eng.auburn.edu
> * Use freely.
> * The environment from the original program is completely obliviated
> */
I found that completely obliviating the environment prevents one from
logging in using CDE in Solaris 7; actually, if you just truncate all
env strings to 128 bytes it prevents CDE login apparently because
there are some necessary long env strings. The ones I leave alone
are:
#define MAX_LENGTH 128
/* environment variables which we allow to exceed MAX_LENGTH */
char *longenv[] = {
"DTAPPSEARCHPATH=",
"DTDATABASESEARCHPATH=",
"DTHELPSEARCHPATH=",
"DTSCREENSAVERLIST=",
"MANPATH=",
"NLSPATH=",
"PATH=",
"TERMCAP=",
"XFILESEARCHPATH=",
"XMICONBMSEARCHPATH=",
"XMICONSEARCHPATH=",
NULL
};
I know that NLSPATH is in my list above, but having it set long doesn't seem to
be part of the recent exploits.
>#include <stdio.h>
>#include <stdlib.h>
>
>
>main (int argc, char *argv[]) {
>
> char *origfile;
> char *envp[1] = { (char *) NULL };
>
> if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
If this wrapper is setuid, using argv[0] doesn't seem safe. One could
do something like this: cp /bin/sh sh.orig; ln -s path_to_wrapper sh; ./sh
and get a shell under that uid.
What I do instead is something like: execv( ORIG, argv);
where ORIG is #define'd separately (gcc -DORIG=\"/bin/something.orig\") for each
setuid program being wrapped, i.e. each wrapper has a hard-coded string for
the .orig program to execute, and each .orig has its own wrapper.
> perror("allocating memory");
> exit(1);
> }
> strcpy(origfile, argv[0]);
> strcat(origfile, ".orig");
> execve(origfile, argv, envp);
>}
...
...Rick perry@ece.villanova.edu, http://www.ece.villanova.edu/~perry/ [PGP]
