Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Format String Attacks
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Thu, 14 Sep 2000 17:03:00 -0700

Drazen Kacar <dave () SRCE HR> writes:
You can't rely on argv[0], because any program can change that. On Solaris
you can use getexecname(3c) to get the name of the executed file.

The man page says that won't always be an absolute path, though:

     Normally this is an absolute pathname, as  the  majority  of
     commands  are  executed by the shells who append the command
     name to the users PATH components.  If this is not an  abso-
     lute  path,  getcwd(3C)  can be prepended to it to create an
     absolute path.


     The getexecname() function obtains the  executable  pathname
     from the AT_SUN_EXECNAME aux vector.  These vectors are made
     available to dynamically linked processes only.

will be resolved. I don't know if it's possible to exploit some race
condition with it. It would be advisable to limit programs which you
execute to the trusted path, such as /usr/bin. Or a path prefix, at least.

On my Solaris 2.6 system, all system setid programs were under /etc or /usr,
but that may vary from system to system, of course.

Some programs (or administrators) will need environment variables, so
it would be nice just to remove the unwanted ones.

Yeah, it's definitely major overkill to delete the entire environment.  My
script only clears the environment variables you specify.

Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]