Re: trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio)

It is interesting to see that old problems with set-uid commands
keep coming back. Allow me to speed up the discussion a bit by
enumerating a few other channels for attack on set-uid commands.

A quick perusal of /usr/include/sys/proc.h reveals a large number
of "inputs" that a child process may inherit from a potentially
untrusted parent process.

The list includes, but is not limited to:

    command-line array
    environment array
    open files
    current directory
    blocked/enabled signals
    pending timers
    resource limits
    scheduling priority

All these sources of data can be, and have been, involved in attacks
on set-uid or set-gid commands (although I do not remember specific
details of pending timer attacks).

In addition to these "inheritance" attacks which are specific to
set-uid and set-gid commands, set-uid and set-gid commands can be
exposed to attacks via the /proc interface, and can be exposed to
ordinary data-driven attacks by feeding them nasty inputs.

Thus, set-uid and set-gid commands are exposed to a lot more attack
types than your average network service.  The reason that network
attacks get more attention is simply that are more opportunities
to exploit them.

        Wietse