[2379] in bugtraq
Does the shared lib bug work on any suid program ?
daemon@ATHENA.MIT.EDU (Bernd Lehle)
Thu Nov 9 10:46:58 1995
Date: Fri, 3 Nov 1995 14:07:56 +0100
Reply-To: Bugtraq List <BUGTRAQ@crimelab.com>
From: Bernd Lehle <Bernd.Lehle@RUS.Uni-Stuttgart.DE>
X-To: bugtraq@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
Hi there,
after all the fuzz about the telnet/shared lib stuff somebody here came up
with something that might be even more interesting:
What woul hapen in the following case:
- Choose any suid program, that uses a library call, You know the name
- example: su calls crypt(3)
- take the library that contains crypt and delete crypt from it
- add a crypt function that does exec(sh)
- rebuild the shared library with the new cypt
- set the shared library path to Your home
- su
Right after the Password was typed in, You should have a root shell...
This game could be played with any suid program, where You know what routines
it calls.
Or am I missing something ?
I did not try this yet, because I don't know (yet) how to build shared
libraries ...
--
> Bernd Lehle - Stuttgart University Computer Center * A supercomputer <
> Visualization / SFB 382 / Astrophysics * is a machine <
> lehle@rus.uni-stuttgart.de Tel:+49-711-685-2047 * that runs an <
> http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop <
> pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds <
