|
Bugtraq
mailing list archives
Re: Format String Attacks
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Thu, 14 Sep 2000 17:03:00 -0700
Drazen Kacar <dave () SRCE HR> writes:
You can't rely on argv[0], because any program can change that. On Solaris
you can use getexecname(3c) to get the name of the executed file.
The man page says that won't always be an absolute path, though:
Normally this is an absolute pathname, as the majority of
commands are executed by the shells who append the command
name to the users PATH components. If this is not an abso-
lute path, getcwd(3C) can be prepended to it to create an
absolute path.
[...]
The getexecname() function obtains the executable pathname
from the AT_SUN_EXECNAME aux vector. These vectors are made
available to dynamically linked processes only.
Symlinks
will be resolved. I don't know if it's possible to exploit some race
condition with it. It would be advisable to limit programs which you
execute to the trusted path, such as /usr/bin. Or a path prefix, at least.
On my Solaris 2.6 system, all system setid programs were under /etc or /usr,
but that may vary from system to system, of course.
Some programs (or administrators) will need environment variables, so
it would be nice just to remove the unwanted ones.
Yeah, it's definitely major overkill to delete the entire environment. My
script only clears the environment variables you specify.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
 By Date 
By Thread
Current thread:
- Re: Format String Attacks, (continued)
Re: Format String Attacks Drazen Kacar (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
Re: Format String Attacks Serguei Patchkovskii (Sep 14)
Re: Format String Attacks Rick Perry (Sep 14)
Re: Format String Attacks Ajax (Sep 21)
| 
Intro
