|
Bugtraq
mailing list archives
Re: Format String Attacks
From: Doug Hughes <Doug.Hughes () ENG AUBURN EDU>
Date: Wed, 13 Sep 2000 10:09:58 -0500
Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.
/*
* This program provided AS IS with no warranty
* Copyright 2000, doug () eng auburn edu
* Use freely.
* The environment from the original program is completely obliviated
*/
#include <stdio.h>
#include <stdlib.h>
main (int argc, char *argv[]) {
char *origfile;
char *envp[1] = { (char *) NULL };
if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
perror("allocating memory");
exit(1);
}
strcpy(origfile, argv[0]);
strcat(origfile, ".orig");
execve(origfile, argv, envp);
}
Here's a simplistic shell command (with Perl) to replace all the
setuid binaries by renaming them to $file.orig and then copy the wrapper
into place and set the appropriate permissions on the wrapper and the
.orig binary.
#!/bin/sh
find / -local -perm -4111 -print | /opt/local/bin/perl5 -ne 'chomp(); ($dev, $ino, $mode, $nlink, $uid, $gid) =
stat($_); rename "$_", "$_.orig"; system("cp /path/to/compiled/wrapper $_"); chmod $mode, $_; chmod 0111, "$_.orig";
chown $uid, $gid, $_;'
### Caveats ###
This will not work with programs like ps that, on different architectures,
are themselves wrappers around other programs (e.g. on 64 bit Solaris7/8
calls /usr/bin/sparcv9/ps) because argv[0] is still the original program.
So, /usr/bin/ps calls /usr/bin/sparcv9/ps (the setuid program wrapper)
which checks argv and then calls /usr/bin/ps.orig which doesn't exist.
Those will have to be handled on a case by case basis.
Doug Hughes Engineering Network Services
doug () eng auburn edu Auburn University
 By Date 
By Thread
Current thread:
- Format String Attacks Tim Newsham (Sep 12)
- <Possible follow-ups>
- Re: Format String Attacks Doug Hughes (Sep 13)
|
Intro
