Home page logo
/

bugtraq logo Bugtraq mailing list archives

First Patch :)
From: goober () GANGA GJH SCHOOLS SK (Peter 'Goober' Kosinar)
Date: Fri, 29 May 1998 08:29:20 +0200


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

--1656955146-1932165182-896423360=:5162
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hi traqers of bugs !

        Here is my first patch for Linux. Its purpose is to stop some
exploits based on using SUID bit. For better protection it should be
combined with Solar Designer's one (but it could work independently
too). It doesn't make writing exploits impossible, but at least a bit
tougher. I have tested it on my computer, but it is possible that it
won't work in some cases.
        How does it work - for each process it stores a new uid (I
have choosen a name RUID = Real UID). Purpose of RUID is to keep
track of who is real owner of this process (it is inherited from
parent process and changed only when root's process runs process
under different EUID). When process tries to spawn (fork/exec)
process under EUID!=RUID and it is not originally root's process
(RUID==0), it is reported to console and EUID is forced to RUID.
Of course, sometimes it is required for process to spawn something
under different EUID (example is 'su'). I needed to somehow mark programs
that are allowed to spawn under different EUID. For this purpose I have
choosen new bit (thus it cannot be marked by chmod). So, programs marked
in this way CAN spawn programs under different UID.
        Explanation how it works on exploits. Ex, standard old
exploit by Solar D. (the one using NLSPATH on "/bin/su"):
1) user (hacker) COOLER runs program a.out
2) process a.out gets ruid=(uid of COOLER)
3) process a.out prepares what it needs (set variable,...)
4) it runs process '/bin/su'
5) process 'su' gets RUID=(uid of COOLER) and EUID=0
6) something happens (exploit code gets control)
7) it does 'setuid(0)' to set its *UID=0
8) when trying to 'exec("/bin/sh"...)', my code checks if it can do
   so (variable 'secure' is used to). If not, message is sent to console
   and EUID=(uid of COOLER).

values of secure:
0 = unsecure program
1 = secure program
2 = program that isn't secure, but was runned by secure program. This
    isn't used in present version of patch, but probably will be used
    in some future.

There are some other things that this patch should do.
To mark secure programs, I needed to use some technique. At this moment
I use the S_ISVTX (+t bit), but I have another idea - use new bit.
Problem is that in standard inode attributes is no free space :)
So I decided to use inode->flags, but I still don't know how is it
possible to set flags :) Many other ideas will be implemented in next
version of this patch.


        Of course, this patch is not absolutely proof. Here are two ways
of bypassing the exploit
1) hacker doesn't need to exec anything (he can do everything in the
   exploit code. ex, write something to passwd/shadow,..., because at
   that moment it runs under EUID=0).



programs that require marking using my patch to work properly:
/bin/su
possibly some programs (xterm,...) from X11 package, but I haven't found
and problems without this bit.

        Hope this patch will help :)


                                                g00bER



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Name:      Peter Kosinar
Work:)    student and 'co-admin' of school Novell and Linux server
E-Mail:    goober () ganga gjh schools sk        (preferred)
           goober () dunaj gjh schools sk
URL:       http://www.gjh.schools.sk/~goober  (under reconstruction now)
Interests: crypto, [anti]virus, bugs

--1656955146-1932165182-896423360=:5162
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=seww2
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980529082920.5162B () ganga gjh schools sk>
Content-Description:

KioqIGluY2x1ZGUvbGludXgvZnMuaC5vbGQJVGh1IE1heSAyOCAyMDo1Nzow
MSAxOTk4DQotLS0gaW5jbHVkZS9saW51eC9mcy5oCVRodSBNYXkgMjggMjA6
NTk6NTcgMTk5OA0KKioqKioqKioqKioqKioqDQoqKiogNzAsNzkgKioqKg0K
LS0tIDcwLDgwIC0tLS0NCiAgI2RlZmluZSBNU19TWU5DSFJPTk9VUwkxNgkv
KiBXcml0ZXMgYXJlIHN5bmNlZCBhdCBvbmNlICovDQogICNkZWZpbmUgTVNf
UkVNT1VOVAkzMgkvKiBBbHRlciBmbGFncyBvZiBhIG1vdW50ZWQgRlMgKi8N
CiAgI2RlZmluZSBTX1dSSVRFCQkxMjgJLyogV3JpdGUgb24gZmlsZS9kaXJl
Y3Rvcnkvc3ltbGluayAqLw0KICAjZGVmaW5lIFNfQVBQRU5ECTI1NgkvKiBB
cHBlbmQtb25seSBmaWxlICovDQogICNkZWZpbmUgU19JTU1VVEFCTEUJNTEy
CS8qIEltbXV0YWJsZSBmaWxlICovDQorICNkZWZpbmUgU19TRUNVUkUJMTAy
NAkvKiBTZWN1cmUgZmlsZSAqLw0KICANCiAgLyoNCiAgICogRmxhZ3MgdGhh
dCBjYW4gYmUgYWx0ZXJlZCBieSBNU19SRU1PVU5UDQogICAqLw0KICAjZGVm
aW5lIE1TX1JNVF9NQVNLIChNU19SRE9OTFkpDQoqKioqKioqKioqKioqKioN
CioqKiA5OSwxMDggKioqKg0KLS0tIDEwMCwxMTAgLS0tLQ0KICAjZGVmaW5l
IElTX1NZTkMoaW5vZGUpICgoaW5vZGUpLT5pX2ZsYWdzICYgTVNfU1lOQ0hS
T05PVVMpDQogIA0KICAjZGVmaW5lIElTX1dSSVRBQkxFKGlub2RlKSAoKGlu
b2RlKS0+aV9mbGFncyAmIFNfV1JJVEUpDQogICNkZWZpbmUgSVNfQVBQRU5E
KGlub2RlKSAoKGlub2RlKS0+aV9mbGFncyAmIFNfQVBQRU5EKQ0KICAjZGVm
aW5lIElTX0lNTVVUQUJMRShpbm9kZSkgKChpbm9kZSktPmlfZmxhZ3MgJiBT
X0lNTVVUQUJMRSkNCisgI2RlZmluZSBJU19TRUNVUkUoaW5vZGUpICgoaW5v
ZGUtPmlfZmxhZ3MgJiBTX1NFQ1VSRSkNCiAgDQogIC8qIHRoZSByZWFkLW9u
bHkgc3R1ZmYgZG9lc24ndCByZWFsbHkgYmVsb25nIGhlcmUsIGJ1dCBhbnkg
b3RoZXIgcGxhY2UgaXMNCiAgICAgcHJvYmFibHkgYXMgYmFkIGFuZCBJIGRv
bid0IHdhbnQgdG8gY3JlYXRlIHlldCBhbm90aGVyIGluY2x1ZGUgZmlsZS4g
Ki8NCiAgDQogICNkZWZpbmUgQkxLUk9TRVQgICBfSU8oMHgxMiw5MykJLyog
c2V0IGRldmljZSByZWFkLW9ubHkgKDAgPSByZWFkLXdyaXRlKSAqLw0KKioq
IGluY2x1ZGUvbGludXgvc2NoZWQuaC5vbGQJVHVlIEFwciAgNyAxNjozODo0
NSAxOTk4DQotLS0gaW5jbHVkZS9saW51eC9zY2hlZC5oCVRodSBNYXkgMjgg
MTk6NDk6MTcgMTk5OA0KKioqKioqKioqKioqKioqDQoqKiogMjA2LDIxNyAq
KioqDQogIAkgKiBvbGRlciBzaWJsaW5nLCByZXNwZWN0aXZlbHkuICAocC0+
ZmF0aGVyIGNhbiBiZSByZXBsYWNlZCB3aXRoIA0KICAJICogcC0+cF9wcHRy
LT5waWQpDQogIAkgKi8NCiAgCXN0cnVjdCB0YXNrX3N0cnVjdCAqcF9vcHB0
ciwgKnBfcHB0ciwgKnBfY3B0ciwgKnBfeXNwdHIsICpwX29zcHRyOw0KICAJ
c3RydWN0IHdhaXRfcXVldWUgKndhaXRfY2hsZGV4aXQ7CS8qIGZvciB3YWl0
NCgpICovDQohIAl1bnNpZ25lZCBzaG9ydCB1aWQsZXVpZCxzdWlkLGZzdWlk
Ow0KISAJdW5zaWduZWQgc2hvcnQgZ2lkLGVnaWQsc2dpZCxmc2dpZDsNCiAg
CXVuc2lnbmVkIGxvbmcgdGltZW91dCwgcG9saWN5LCBydF9wcmlvcml0eTsN
CiAgCXVuc2lnbmVkIGxvbmcgaXRfcmVhbF92YWx1ZSwgaXRfcHJvZl92YWx1
ZSwgaXRfdmlydF92YWx1ZTsNCiAgCXVuc2lnbmVkIGxvbmcgaXRfcmVhbF9p
bmNyLCBpdF9wcm9mX2luY3IsIGl0X3ZpcnRfaW5jcjsNCiAgCXN0cnVjdCB0
aW1lcl9saXN0IHJlYWxfdGltZXI7DQogIAlsb25nIHV0aW1lLCBzdGltZSwg
Y3V0aW1lLCBjc3RpbWUsIHN0YXJ0X3RpbWU7DQotLS0gMjA2LDIxOCAtLS0t
DQogIAkgKiBvbGRlciBzaWJsaW5nLCByZXNwZWN0aXZlbHkuICAocC0+ZmF0
aGVyIGNhbiBiZSByZXBsYWNlZCB3aXRoIA0KICAJICogcC0+cF9wcHRyLT5w
aWQpDQogIAkgKi8NCiAgCXN0cnVjdCB0YXNrX3N0cnVjdCAqcF9vcHB0ciwg
KnBfcHB0ciwgKnBfY3B0ciwgKnBfeXNwdHIsICpwX29zcHRyOw0KICAJc3Ry
dWN0IHdhaXRfcXVldWUgKndhaXRfY2hsZGV4aXQ7CS8qIGZvciB3YWl0NCgp
ICovDQohIAl1bnNpZ25lZCBzaG9ydCB1aWQsZXVpZCxzdWlkLGZzdWlkLHJ1
aWQ7DQohIAl1bnNpZ25lZCBzaG9ydCBnaWQsZWdpZCxzZ2lkLGZzZ2lkLHJn
aWQ7DQohIAl1bnNpZ25lZCBzaG9ydCBzZWN1cmU7DQogIAl1bnNpZ25lZCBs
b25nIHRpbWVvdXQsIHBvbGljeSwgcnRfcHJpb3JpdHk7DQogIAl1bnNpZ25l
ZCBsb25nIGl0X3JlYWxfdmFsdWUsIGl0X3Byb2ZfdmFsdWUsIGl0X3ZpcnRf
dmFsdWU7DQogIAl1bnNpZ25lZCBsb25nIGl0X3JlYWxfaW5jciwgaXRfcHJv
Zl9pbmNyLCBpdF92aXJ0X2luY3I7DQogIAlzdHJ1Y3QgdGltZXJfbGlzdCBy
ZWFsX3RpbWVyOw0KICAJbG9uZyB1dGltZSwgc3RpbWUsIGN1dGltZSwgY3N0
aW1lLCBzdGFydF90aW1lOw0KKioqKioqKioqKioqKioqDQoqKiogMjkwLDMw
MCAqKioqDQogIC8qIHN0YWNrICovCTAsKHVuc2lnbmVkIGxvbmcpICZpbml0
X2tlcm5lbF9zdGFjaywgXA0KICAvKiBlYyxicmsuLi4gKi8JMCwwLDAsMCww
LCBcDQogIC8qIHBpZCBldGMuLiAqLwkwLDAsMCwwLDAsIFwNCiAgLyogc3Vw
cGwgZ3JwcyovIHtOT0dST1VQLH0sIFwNCiAgLyogcHJvYyBsaW5rcyovICZp
bml0X3Rhc2ssJmluaXRfdGFzayxOVUxMLE5VTEwsTlVMTCxOVUxMLCBcDQoh
IC8qIHVpZCBldGMgKi8JMCwwLDAsMCwwLDAsMCwwLCBcDQogIC8qIHRpbWVv
dXQgKi8JMCxTQ0hFRF9PVEhFUiwwLDAsMCwwLDAsMCwwLCBcDQogIC8qIHRp
bWVyICovCXsgTlVMTCwgTlVMTCwgMCwgMCwgaXRfcmVhbF9mbiB9LCBcDQog
IC8qIHV0aW1lICovCTAsMCwwLDAsMCwgXA0KICAvKiBmbHQgKi8JMCwwLDAs
MCwwLDAsIFwNCiAgLyogc3dwICovCTAsMCwwLDAsMCwgXA0KLS0tIDI5MSwz
MDEgLS0tLQ0KICAvKiBzdGFjayAqLwkwLCh1bnNpZ25lZCBsb25nKSAmaW5p
dF9rZXJuZWxfc3RhY2ssIFwNCiAgLyogZWMsYnJrLi4uICovCTAsMCwwLDAs
MCwgXA0KICAvKiBwaWQgZXRjLi4gKi8JMCwwLDAsMCwwLCBcDQogIC8qIHN1
cHBsIGdycHMqLyB7Tk9HUk9VUCx9LCBcDQogIC8qIHByb2MgbGlua3MqLyAm
aW5pdF90YXNrLCZpbml0X3Rhc2ssTlVMTCxOVUxMLE5VTEwsTlVMTCwgXA0K
ISAvKiB1aWQgZXRjICovCTAsMCwwLDAsMCwwLDAsMCwwLDAsMCwgXA0KICAv
KiB0aW1lb3V0ICovCTAsU0NIRURfT1RIRVIsMCwwLDAsMCwwLDAsMCwgXA0K
ICAvKiB0aW1lciAqLwl7IE5VTEwsIE5VTEwsIDAsIDAsIGl0X3JlYWxfZm4g
fSwgXA0KICAvKiB1dGltZSAqLwkwLDAsMCwwLDAsIFwNCiAgLyogZmx0ICov
CTAsMCwwLDAsMCwwLCBcDQogIC8qIHN3cCAqLwkwLDAsMCwwLDAsIFwNCioq
KiBmcy9leGVjLmMub2xkCVdlZCBNYXkgIDYgMTQ6MzU6MTggMTk5OA0KLS0t
IGZzL2V4ZWMuYwlTdW4gTWF5IDI0IDE5OjIxOjQ5IDE5OTgNCioqKioqKioq
KioqKioqKg0KKioqIDQ4OSw0OTggKioqKg0KLS0tIDQ4OSw1MDEgLS0tLQ0K
ICAJYnBybS0+ZV91aWQgPSBjdXJyZW50LT5ldWlkOw0KICAJYnBybS0+ZV9n
aWQgPSBjdXJyZW50LT5lZ2lkOw0KICANCiAgCWlkX2NoYW5nZSA9IDA7DQog
IA0KKyAJaWYgKG1vZGUgJiBTX0lTVlRYKSBjdXJyZW50LT5zZWN1cmU9MTsN
CisgCWVsc2UgaWYgKGN1cnJlbnQtPnNlY3VyZT09MSkgY3VycmVudC0+c2Vj
dXJlPTI7DQorIAllbHNlIGN1cnJlbnQtPnNlY3VyZT0wOw0KICANCiAgCS8q
IFNldC11aWQ/ICovDQogIAlpZiAobW9kZSAmIFNfSVNVSUQpIHsNCiAgCQli
cHJtLT5lX3VpZCA9IGJwcm0tPmlub2RlLT5pX3VpZDsNCiAgCQlpZiAoYnBy
bS0+ZV91aWQgIT0gY3VycmVudC0+ZXVpZCkNCioqKioqKioqKioqKioqKg0K
KioqIDYyMyw2MzIgKioqKg0KLS0tIDYyNiw2NDIgLS0tLQ0KICBpbnQgZG9f
ZXhlY3ZlKGNoYXIgKiBmaWxlbmFtZSwgY2hhciAqKiBhcmd2LCBjaGFyICoq
IGVudnAsIHN0cnVjdCBwdF9yZWdzICogcmVncykNCiAgew0KICAJc3RydWN0
IGxpbnV4X2JpbnBybSBicHJtOw0KICAJaW50IHJldHZhbDsNCiAgCWludCBp
Ow0KKyANCisgCWlmICgoY3VycmVudC0+c2VjdXJlPT0wKSAmJiAoY3VycmVu
dC0+cnVpZCE9MCkgJiYgKChjdXJyZW50LT5ldWlkIT1jdXJyZW50LT5ydWlk
KSB8fCAoY3VycmVudC0+dWlkIT1jdXJyZW50LT5ydWlkKSkpDQorIAkgew0K
KyAJICBwcmludGsoIiFFeGVjOiAgRVVJRDolZCBFR0lEOiVkIFJVSUQ6JWQg
UkdJRDolZCBGaWxlOiVzXG4iLGN1cnJlbnQtPmV1aWQsY3VycmVudC0+ZWdp
ZCxjdXJyZW50LT5ydWlkLGN1cnJlbnQtPnJnaWQsZmlsZW5hbWUpOw0KKyAJ
ICBjdXJyZW50LT5ldWlkPWN1cnJlbnQtPnVpZD1jdXJyZW50LT5mc3VpZD1j
dXJyZW50LT5zdWlkPWN1cnJlbnQtPnJ1aWQ7DQorIAkgIGN1cnJlbnQtPmVn
aWQ9Y3VycmVudC0+Z2lkPWN1cnJlbnQtPmZzZ2lkPWN1cnJlbnQtPnNnaWQ9
Y3VycmVudC0+cmdpZDsNCisgCSB9DQogIA0KICAJYnBybS5wID0gUEFHRV9T
SVpFKk1BWF9BUkdfUEFHRVMtc2l6ZW9mKHZvaWQgKik7DQogIAlmb3IgKGk9
MCA7IGk8TUFYX0FSR19QQUdFUyA7IGkrKykJLyogY2xlYXIgcGFnZS10YWJs
ZSAqLw0KICAJCWJwcm0ucGFnZVtpXSA9IDA7DQogIAlyZXR2YWwgPSBvcGVu
X25hbWVpKGZpbGVuYW1lLCAwLCAwLCAmYnBybS5pbm9kZSwgTlVMTCk7DQoq
Kioga2VybmVsL3N5cy5jLm9sZAlXZWQgQXByIDI5IDAxOjIxOjQzIDE5OTgN
Ci0tLSBrZXJuZWwvc3lzLmMJVHVlIE1hciAyNCAxODoxNDo1NCAxOTk4DQoq
KioqKioqKioqKioqKioNCioqKiAyNzcsMjg2ICoqKioNCi0tLSAyNzcsMjg3
IC0tLS0NCiAgCQljdXJyZW50LT5naWQgPSBjdXJyZW50LT5lZ2lkID0gY3Vy
cmVudC0+c2dpZCA9IGN1cnJlbnQtPmZzZ2lkID0gZ2lkOw0KICAJZWxzZSBp
ZiAoKGdpZCA9PSBjdXJyZW50LT5naWQpIHx8IChnaWQgPT0gY3VycmVudC0+
c2dpZCkpDQogIAkJY3VycmVudC0+ZWdpZCA9IGN1cnJlbnQtPmZzZ2lkID0g
Z2lkOw0KICAJZWxzZQ0KICAJCXJldHVybiAtRVBFUk07DQorIAlpZiAoY3Vy
cmVudC0+cnVpZD09MCkgY3VycmVudC0+cmdpZD1naWQ7DQogIAlpZiAoY3Vy
cmVudC0+ZWdpZCAhPSBvbGRfZWdpZCkNCiAgCQljdXJyZW50LT5kdW1wYWJs
ZSA9IDA7DQogIAlyZXR1cm4gMDsNCiAgfQ0KICAgIA0KKioqKioqKioqKioq
KioqDQoqKiogNDk0LDUwMyAqKioqDQotLS0gNDk1LDUwNSAtLS0tDQogIAkJ
Y3VycmVudC0+dWlkID0gY3VycmVudC0+ZXVpZCA9IGN1cnJlbnQtPnN1aWQg
PSBjdXJyZW50LT5mc3VpZCA9IHVpZDsNCiAgCWVsc2UgaWYgKCh1aWQgPT0g
Y3VycmVudC0+dWlkKSB8fCAodWlkID09IGN1cnJlbnQtPnN1aWQpKQ0KICAJ
CWN1cnJlbnQtPmZzdWlkID0gY3VycmVudC0+ZXVpZCA9IHVpZDsNCiAgCWVs
c2UNCiAgCQlyZXR1cm4gLUVQRVJNOw0KKyAJaWYgKGN1cnJlbnQtPnJ1aWQ9
PTApIGN1cnJlbnQtPnJ1aWQ9dWlkOw0KICAJaWYgKGN1cnJlbnQtPmV1aWQg
IT0gb2xkX2V1aWQpDQogIAkJY3VycmVudC0+ZHVtcGFibGUgPSAwOw0KICAJ
cmV0dXJuKDApOw0KICB9DQogIA0KKioqIGtlcm5lbC9mb3JrLmMub2xkCUZy
aSBNYXkgIDEgMTI6MDQ6MTQgMTk5OA0KLS0tIGtlcm5lbC9mb3JrLmMJVHVl
IE1hciAyNCAxNzozOTowNiAxOTk4DQoqKioqKioqKioqKioqKioNCioqKiAy
ODEsMjkwICoqKioNCi0tLSAyODEsMjk1IC0tLS0NCiAgDQogIAkvKiBvaywg
bm93IHdlIHNob3VsZCBiZSBzZXQgdXAuLiAqLw0KICAJcC0+c3dhcHBhYmxl
ID0gMTsNCiAgCXAtPmV4aXRfc2lnbmFsID0gY2xvbmVfZmxhZ3MgJiBDU0lH
TkFMOw0KICAJcC0+Y291bnRlciA9IChjdXJyZW50LT5jb3VudGVyID4+PSAx
KTsNCisgCWlmIChwLT5zZWN1cmU9PTApIHsNCisgCQlwLT51aWQ9cC0+ZXVp
ZD1wLT5mc3VpZD1wLT5zdWlkPXAtPnJ1aWQ7DQorIAkJcC0+Z2lkPXAtPmVn
aWQ9cC0+ZnNnaWQ9cC0+c2dpZD1wLT5yZ2lkOw0KKyAJCX0NCisgCQ0KICAJ
d2FrZV91cF9wcm9jZXNzKHApOwkJCS8qIGRvIHRoaXMgbGFzdCwganVzdCBp
biBjYXNlICovDQogIAkrK3RvdGFsX2ZvcmtzOw0KICAJcmV0dXJuIHAtPnBp
ZDsNCiAgDQogIGJhZF9mb3JrX2NsZWFudXBfc2lnaGFuZDoNCg==
--1656955146-1932165182-896423360=:5162--



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault