Home page logo
/

bugtraq logo Bugtraq mailing list archives

SMASHING THE STACK: PREVENTION?
From: massimo () VNET IBM COM (massimo at vnet.ibm.com)
Date: Mon, 28 Apr 1997 13:45:32 UTC


--------
What about a sort of "execXXX-wrapper"? Instead of patching the kernel,
I wonder whether it make sense to patch the C library (libc.a). In each
routine of the exec family (execvp, execl, execve...) one could add something
like:

if(real_user_id==effective_user_id ||    /* standard case */
   (real_user_id && effective_user_id) || /* switching between two users */
   (real_user_id==0 && effective_user_id==0) || /* it is root: no problem */
   (real_user_id==0 && effective_user_id))) { /* it is root: no problem */

   go ahead with no further check; /* no problem */

} else {
   if(real_user_id && effective_user_id==0) { /* this could be an exploit */
      double_check before execXXX execution...
   } else {
      fprintf(stderr,"Something is really wrong!!!\n");
   }
}

For all I know there are very few SUID 0 programs which invoke execXXX
routines to spawn a shell. Getty is probably the only significant SUID program
which starts a shell, so it should be pretty easy to introduce additional
checks: for instance if the SUID program tries to exec any of the shells: csh,
bash, ksh,...., just returns an error and logs the real_user_id somewhere.

Any comment?


-------------- Massimo Bernaschi ---------------------
|  IBM Semea          | e-mail: massimo () vnet ibm com |
|  via Shanghai 53    | phone: +39 6 59665316        |
|  00144 Roma - ITALY | fax:   +39 6 59665084        |
------------------------------------------------------



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault