Download Firefox: WindowsMac OS X
logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>

Re: Generic questions about potential attack types.: msg#00004

Subject: Re: Generic questions about potential attack types. 
On Sun, Mar 06, 2005 at 01:56:43AM +0100, Uwe Hermann wrote:
>  a) if the line
>       HOME=`perl -e 'print "A" x 1000;'` program
>     crashes the program (which most surely hints to a buffer overflow)
>     this is only exploitable if 'program' is setuid/setgid?
> 
>     Are there any other possibilities how this could potentially be
>     exploited in case 'program' is _not_ setuid/setgid?

  I can't think of any, because as you say you'd need to trick root
 into running it with a bogus HOME variable.

  If they are careful they would clear their environment as part of
 the su process.

>     I guess if someone could manage to trick root into running some
>     code like the above, he/she can gain root privileges. But
>     usually someone with root should be smart enough _not_ to run such
>     stuff, I'd say. So are there any more subtle attacks known, e.g. where
>     a user can fiddle with the HOME variable of root?

  I don't think a normal user should be able to fiddle with another
 users HOME, let alone roots.

>     Does such a bug justify a DSA, or should I just file a bug-report?

  I think just a bug report.

>  b) if I can crash an application with
>       program --some-switch `perl -e 'print "A" x 1000;'`
>     i.e. an overly long command-line switch, I can't do very much damage
>     if 'program' is not setuid/setgid, right?

  Right.

>     What if the application is intended to be run as root (i.e. because
>     it needs to bind to a port < 1024)? All I have to do is trick root
>     into running the program with the very long command-line switch,
>     I guess. Can this realistically be done, so that a normal (non-dumb)
>     admin executes this?

  I think this is a more interesting case.  There have been a few
 programs that have had updates for this.  Specifically I'm thinking
 of htpasswd which was updated, eventually, not because it's run by
 root - but because it's often invoked by CGI scripts.

  I'm guessing if a command line program that was commonly used in
 such a way was buggy that an updated would be made, ping, traceroute,
 etc.

  Having a program require root privileges to bind a port doesn't
 make it more likely to be updated - if as you say it's not setuid to
 start with.

  In fact they are probably safer than normal processes as they are
 typically binding a port to be a daemon - so they will be started
 by /etc/init.d/foo and that means the command line is effectively
 hardwired.

  (Modulo cases where command line parameters come from configuration
 files)

Steve
--
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: "Improving Security in Debian" Paper for Debconf5, Ulf Harnhammar
Next by Date:  Re: Generic questions about potential attack types., Ulf Harnhammar
Previous by Thread:  Generic questions about potential attack types., Uwe Hermann
Next by Thread:  Re: Generic questions about potential attack types., Uwe Hermann
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
emacs.dvc.devel...    java.displaytag...    ietf.rfc822/199...    linux.altlinux....    redhat.fedora.r...    python.ctypes/2...    video.panorama/...    freedesktop.xor...    audio.emagic.lo...    netbsd.devel.us...    documentation.t...    yellowdog.gener...    gnome.mono.mono...    bacula.user/200...    shells.bash.bug...    xfree86.devel/2...    culture.bicycle...    mozilla.devel.n...    web.squid.gener...    user-groups.gul...    kde.amarok.bugs...    org.user-groups...    handhelds.linux...    tex.context/200...   
Home | blog view, Court Document Archive | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo