Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Format String Attacks
From: Rick Perry <perry () NEWS VILL EDU>
Date: Wed, 13 Sep 2000 14:42:27 -0400
Doug Hughes <Doug.Hughes () eng auburn edu> writes:

Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.

/*
* This program provided AS IS with no warranty
* Copyright 2000, doug () eng auburn edu
* Use freely.
* The environment from the original program is completely obliviated
*/


I found that completely obliviating the environment prevents one from
logging in using CDE in Solaris 7; actually, if you just truncate all
env strings to 128 bytes it prevents CDE login apparently because
there are some necessary long env strings.  The ones I leave alone
are:

#define MAX_LENGTH 128

/* environment variables which we allow to exceed MAX_LENGTH */

char *longenv[] = {
  "DTAPPSEARCHPATH=",
  "DTDATABASESEARCHPATH=",
  "DTHELPSEARCHPATH=",
  "DTSCREENSAVERLIST=",
  "MANPATH=",
  "NLSPATH=",
  "PATH=",
  "TERMCAP=",
  "XFILESEARCHPATH=",
  "XMICONBMSEARCHPATH=",
  "XMICONSEARCHPATH=",
  NULL
};

I know that NLSPATH is in my list above, but having it set long doesn't seem to
be part of the recent exploits.


#include <stdio.h>
#include <stdlib.h>


main (int argc, char *argv[]) {

      char *origfile;
      char *envp[1] = { (char *) NULL };

      if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {


If this wrapper is setuid, using argv[0] doesn't seem safe.  One could
do something like this: cp /bin/sh sh.orig; ln -s path_to_wrapper sh; ./sh
and get a shell under that uid.

What I do instead is something like: execv( ORIG, argv);
where ORIG is #define'd separately (gcc -DORIG=\"/bin/something.orig\") for each
setuid program being wrapped, i.e. each wrapper has a hard-coded string for
the .orig program to execute, and each .orig has its own wrapper.


              perror("allocating memory");
              exit(1);
      }
      strcpy(origfile, argv[0]);
      strcat(origfile, ".orig");



      execve(origfile, argv, envp);
}

...


...Rick  perry () ece villanova edu, http://www.ece.villanova.edu/~perry/ [PGP]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]