From: Vitalik N. (robert.morris.jr@gmail.com)
Date: Sun Jul 01 2007 - 23:44:55 EDT
On 7/2/07, Nathan Sportsman <nsportsman@gmail.com> wrote:
> Just to be clear...the owner of your uname program is root and the
> setuid bit is set on it right? chmod u=+s uname
>
> try doing setuid(geteuid()) and see what effective user id the program
> is actually being run as.
>
> Thanks
> Nathan Sportsman
>
> On 7/1/07, Vitalik N. <robert.morris.jr@gmail.com> wrote:
> > On 7/1/07, Thomas Pollet <thomas.pollet@gmail.com> wrote:
> > > Hello,
> > >
> > > On 30/06/07, Vitalik N. <robert.morris.jr@gmail.com> wrote:
> > > > Hi
> > > >
> > > > I was doing pen testing the other day and I found one root suid script
> > > > left by some of the web developers:
> > > >
> > > > -rwsr-x--x 1 root users /home/web/c.cgi
> > > >
> > > > which is basically a bash script:
> > > >
> > > > ------ cut ------------
> > > > #!/bin/sh
> > > >
> > > > uname
> > > > ------ cut ------------
> > > >
> > > > And our system was recently compromised. Some local user was able to
> > > > gain root access. Could this script be the way of gaining root access?
> > > >
> > > > According to http://www.unix.com/tips-and-tutorials/36711-the-whole-story-on-usr-bin-ksh.html
> > > > "Because it was not possible to write a secure suid shell script, the concept
> > > > of suid shell scripts was removed from Unix." But then it says "Solaris now
> > > > supports suid shell" !
> > > > I tried modifying the PATH variable and creating my own "uname" program.
> > > > But my uname program runs with local user privs instead of root. I
> > > > also tried the
> > > did you put a setuid(0) in your uname program?
> > >
> > > f.i.:
> > > cat >uname.c<<EOF
> > > #include <unistd.h>
> > > int main (int argc, char **argv, char **envp) {
> > > setuid(0);
> > > setgid(0);
> > > execve("/bin/sh",argv,envp);
> > > }
> > > EOF
> > >
> > > > other attack described in the link above: "link to -i" but this didn't
> > > > work as well.
> > > > So could this script be the problem?
> > > >
> > > > P.S: The machine runs SunOS 5.6 with all updates
> > >
> > > Regards,
> > > Thomas Pollet
> > >
> >
> > Yes, my uname programs was exactly the same. But I used execl call instead
> > of execve (don't think that would make any difference). I also tried
> > setting euid
> > (seteuid(0)).
> > Using a bash script for "uname" program didn't work either:
> >
> > % cat uname
> > #!/bin/sh
> > touch /tmp/test
> > chown root /tmp/test
> >
> > the script complains about privileges and can't execute chown.
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Swap Out your SPI or Watchfire app sec solution for
> > Cenzic's robust, accurate risk assessment and management
> > solution FREE - limited Time Offer
> >
> > http://www.cenzic.com/wf-spi
> > ------------------------------------------------------------------------
> >
> >
>
The owner of my uname programs is not root. uname program has 455
permissions set. But c.cgi has the root suid bit set (-rwsr-x--x 1
root users /home/web/c.cgi). getuid and geteuid return id of the
user who runs the program.
Maybe suid scripts are not vulnerable to this kind of attack?
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer
http://www.cenzic.com/wf-spi
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:55 EDT