(fwd) Re: Format String Attacks

[Doug Hughes <Doug.Hughes () ENG AUBURN EDU>]

Multiple replies:


> From: Phil Pennock <Phil.Pennock () globnix org>
> On 2000-09-13 at 10:09 -0500, Doug Hughes gifted us with:
> >      strcpy(origfile, argv[0]);
> >      strcat(origfile, ".orig");
> >
> >      execve(origfile, argv, envp);
>
> That execve() line should give the clue.  The executable name does not
> need to match argv.

Naturally. As I said, it is very simplistic. That's just
a quick and easy way to give an almost universal wrapper.
The complication occurs only when the setuid program calls
another program while keeping the original argv[0].

I didn't spend a lot of time thinking of a universal
alternative. If anybody want to contribute an alternative
that can replace any binary without hard-coding, please
be my guest. I thought a 95% solution was better than
nothing.

> From: Dan Astoorian <djast () cs toronto edu>
>
> On Wed, 13 Sep 2000 11:09:58 EDT, Doug Hughes writes:
> > Since I don't recall anybody else posting one, here is a simple, generic,
> > setuid wrapper that people could use around, for instance, /usr/bin/eject
> > or other setuid programs.
>
> [...]
>
> >      if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
> >              perror("allocating memory");
> >              exit(1);
> >      }
>
> Note that perror() itself may perform localization on some platforms and
> under some circumstances (e.g., if compiled with -lintl under Solaris).
>
> I don't know whether it's exploitable in practice, but it appears to me
> as though this wrapper could suffer, at least theoretically, from the
> same weakness as the programs it's trying to protect.

True.. possibly with enough effort.  So, replace it with puts.
As I said, this wrapper is very very simplistic. It
doesn't do a lot. But good catch. Old habits die hard.

------
Most importantly:
> From: Serguei Patchkovskii <patchkov () ucalgary ca>
> Yeah, it will certainly make it unnecessary to go through the bother of
> exploiting any of the format string bugs. However, it is quite unlikely
> to make your systems any safer:
>
> #include <unistd.h>
>
> int
> main( int argc, char *argv[] )
> {
> execl( argv[1], "./gotcha", NULL ) ;
> }

Oof!
Yes, I was looking for a quick fix. Without internal knowledge it
would work too. But as soon as somebody realizes it's based
upon argv, ouch.  So, anyway, the moral is there isn't really
a quick fix and you probably want to  hard code
the pathname. You could also just setup execve with a fixed
dummy string and then do a sed/replace loop in perl to
replace the setuid with wrappers as in the original.

Here's a template people can use:

main (int argc, char *argv[]) {

        char *origfile="/put/the/path/here";
        char *envp[1] = { (char *) NULL };
        execve (origfile, ++argv, envp);
}

--
Doug "I got spanked on Bugtraq" Hughes