Home page logo
/

bugtraq logo Bugtraq mailing list archives

(fwd) Re: Format String Attacks
From: Doug Hughes <Doug.Hughes () ENG AUBURN EDU>
Date: Wed, 13 Sep 2000 13:05:45 -0500

Multiple replies:


From: Phil Pennock <Phil.Pennock () globnix org>
On 2000-09-13 at 10:09 -0500, Doug Hughes gifted us with:
     strcpy(origfile, argv[0]);
     strcat(origfile, ".orig");

     execve(origfile, argv, envp);

That execve() line should give the clue.  The executable name does not
need to match argv.

Naturally. As I said, it is very simplistic. That's just
a quick and easy way to give an almost universal wrapper.
The complication occurs only when the setuid program calls
another program while keeping the original argv[0].

I didn't spend a lot of time thinking of a universal
alternative. If anybody want to contribute an alternative
that can replace any binary without hard-coding, please
be my guest. I thought a 95% solution was better than
nothing.

From: Dan Astoorian <djast () cs toronto edu>

On Wed, 13 Sep 2000 11:09:58 EDT, Doug Hughes writes:
Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.

[...]

     if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
             perror("allocating memory");
             exit(1);
     }

Note that perror() itself may perform localization on some platforms and
under some circumstances (e.g., if compiled with -lintl under Solaris).

I don't know whether it's exploitable in practice, but it appears to me
as though this wrapper could suffer, at least theoretically, from the
same weakness as the programs it's trying to protect.


True.. possibly with enough effort.  So, replace it with puts.
As I said, this wrapper is very very simplistic. It
doesn't do a lot. But good catch. Old habits die hard.

------
Most importantly:
From: Serguei Patchkovskii <patchkov () ucalgary ca>
Yeah, it will certainly make it unnecessary to go through the bother of
exploiting any of the format string bugs. However, it is quite unlikely
to make your systems any safer:

#include <unistd.h>

int
main( int argc, char *argv[] )
{
execl( argv[1], "./gotcha", NULL ) ;
}

Oof!
Yes, I was looking for a quick fix. Without internal knowledge it
would work too. But as soon as somebody realizes it's based
upon argv, ouch.  So, anyway, the moral is there isn't really
a quick fix and you probably want to  hard code
the pathname. You could also just setup execve with a fixed
dummy string and then do a sed/replace loop in perl to
replace the setuid with wrappers as in the original.

Here's a template people can use:

main (int argc, char *argv[]) {

        char *origfile="/put/the/path/here";
        char *envp[1] = { (char *) NULL };
        execve (origfile, ++argv, envp);
}

--
Doug "I got spanked on Bugtraq" Hughes


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]