Hi all,
I have done some auditing in the past few days and found some potential
security issues, but I'm not so sure about how (if at all) some things
can be exploited.
Am I correct, that
a) if the line
HOME=`perl -e 'print "A" x 1000;'` program
crashes the program (which most surely hints to a buffer overflow)
this is only exploitable if 'program' is setuid/setgid?
Are there any other possibilities how this could potentially be
exploited in case 'program' is _not_ setuid/setgid?
I guess if someone could manage to trick root into running some
code like the above, he/she can gain root privileges. But
usually someone with root should be smart enough _not_ to run such
stuff, I'd say. So are there any more subtle attacks known, e.g. where
a user can fiddle with the HOME variable of root?
Does such a bug justify a DSA, or should I just file a bug-report?
b) if I can crash an application with
program --some-switch `perl -e 'print "A" x 1000;'`
i.e. an overly long command-line switch, I can't do very much damage
if 'program' is not setuid/setgid, right?
What if the application is intended to be run as root (i.e. because
it needs to bind to a port < 1024)? All I have to do is trick root
into running the program with the very long command-line switch,
I guess. Can this realistically be done, so that a normal (non-dumb)
admin executes this?
TIA, Uwe.
--
Uwe Hermann <uwe@xxxxxxxxxxxxxx>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de
|
