[16783] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Dan Harkless)
Fri Sep 15 01:38:50 2000
Message-Id: <200009150003.RAA14784@dilvish.speed.net>
Date: Thu, 14 Sep 2000 17:03:00 -0700
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Drazen Kacar <dave@SRCE.HR> of "Wed, 13 Sep 2000
21:20:41 +0200." <20000913212041.A20920@svarozic.srce.hr>
Drazen Kacar <dave@SRCE.HR> writes:
> You can't rely on argv[0], because any program can change that. On Solaris
> you can use getexecname(3c) to get the name of the executed file.
The man page says that won't always be an absolute path, though:
Normally this is an absolute pathname, as the majority of
commands are executed by the shells who append the command
name to the users PATH components. If this is not an abso-
lute path, getcwd(3C) can be prepended to it to create an
absolute path.
[...]
The getexecname() function obtains the executable pathname
from the AT_SUN_EXECNAME aux vector. These vectors are made
available to dynamically linked processes only.
> Symlinks
> will be resolved. I don't know if it's possible to exploit some race
> condition with it. It would be advisable to limit programs which you
> execute to the trusted path, such as /usr/bin. Or a path prefix, at least.
On my Solaris 2.6 system, all system setid programs were under /etc or /usr,
but that may vary from system to system, of course.
> Some programs (or administrators) will need environment variables, so
> it would be nice just to remove the unwanted ones.
Yeah, it's definitely major overkill to delete the entire environment. My
script only clears the environment variables you specify.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
