[2723] in bugtraq
Re: system() call in suid programs
daemon@ATHENA.MIT.EDU (Kari E. Hurtta)
Fri Jun 14 15:14:32 1996
Date: Fri, 14 Jun 1996 20:25:48 +0300
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Kari E. Hurtta" <Kari.Hurtta@dionysos.fmi.fi>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199606141418.KAA36484@matisse.its.rpi.edu> from Not Joe at "Jun
14, 96 10:18:35 am"
Not Joe kirjoittaa:
> Hello,
>
> I know that it is bad to use the system() system call in programs, especially
> ones that are suid root, and that it can be exploited fairly easily. Could
> somebody post or send me details how exploits based on the system() call work?
> Detail would be good, as I am supposed to explain the security implications
> to my boss at our next meeting.
system(char *str) does following:
fork()s
exec()s '/bin/sh' with argument's '-c' and str
This means:
- All shell's metacharacters are in effect:
; $ \ & ' " [ ] ( ) { } :
> For example if your code is
sprintf(buffer,"telnet %s",host);
system(command);
* Consider what happens if 'host' is:
badname; rm -rf /
- Shells follows environment variables such as
PATH and IFS
* Consider what happens if user
adds '.' to begin of patch and
put script with name 'telnet' to
default directory:
#!/bin/sh
cp /bin/sh my_suid_shell
chmod u+s my_suid_shell
And calls your suid program
* Consider what happens if your code is
sprintf(buffer,"/usr/bin/telnet %s",host);
system(command)
And user adds '/tmp' to $PATH and sets $IFS to " /"
and put script with name 'usr' to
/tmp
And calls your suid program.
