Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Format String Attacks
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Fri, 15 Sep 2000 13:20:02 -0700

Dan Harkless <dan-bugtraq () DILVISH SPEED NET> writes:

Sorry, yet another revision of this script is now available (probably the
last change to be made).  This probably isn't necessary anywhere, but just
to be extra-paranoid, I changed the syscall error reporting to just print
the numeric errno rather than trusting strerror() to not do anything bogus.
I also changed the clearing of the environment variable(s) to be done
manually (using main()'s third parameter) rather than trusting putenv().

Since the new version should be functionally identical to the last one, I
won't waste more bandwidth by posting this rev.  If you'd like it, you can
get it from:

    http://harkless.org/dan/software/wrap_setid_progs_with_envar_clearer

Heh.  Sorry, realized a minor problem with my script driving home last
night.  In -u mode, the script unwrapped any setid programs that had the
".wrapper_due_to_envar_security_hole" extension.

Not safe to trust that all such files were created by the script, though.
In a +w +t directory like /tmp, a user could trick
wrap_setid_progs_with_envar_clearer -u into clobbering another user's file
by creating a fake (setid-self) wrapper.

I changed the script so that for each file, it asks whether it should be
unwrapped, just like in the non -u mode.  The script is available from the
URL above.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]