[16803] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Dan Harkless)
Mon Sep 18 01:03:26 2000
Message-Id: <200009152020.NAA23984@dilvish.speed.net>
Date: Fri, 15 Sep 2000 13:20:02 -0700
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> of
"Fri, 15 Sep 2000 01:47:52 PDT."
<200009150847.BAA19170@dilvish.speed.net>
Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> writes:
>
> Sorry, yet another revision of this script is now available (probably the
> last change to be made). This probably isn't necessary anywhere, but just
> to be extra-paranoid, I changed the syscall error reporting to just print
> the numeric errno rather than trusting strerror() to not do anything bogus.
> I also changed the clearing of the environment variable(s) to be done
> manually (using main()'s third parameter) rather than trusting putenv().
>
> Since the new version should be functionally identical to the last one, I
> won't waste more bandwidth by posting this rev. If you'd like it, you can
> get it from:
>
> http://harkless.org/dan/software/wrap_setid_progs_with_envar_clearer
Heh. Sorry, realized a minor problem with my script driving home last
night. In -u mode, the script unwrapped any setid programs that had the
".wrapper_due_to_envar_security_hole" extension.
Not safe to trust that all such files were created by the script, though.
In a +w +t directory like /tmp, a user could trick
wrap_setid_progs_with_envar_clearer -u into clobbering another user's file
by creating a fake (setid-self) wrapper.
I changed the script so that for each file, it asks whether it should be
unwrapped, just like in the non -u mode. The script is available from the
URL above.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
