[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: system() call in suid programs
From: "Kari E. Hurtta" <Kari.Hurtta () dionysos ! fmi ! fi>
Date: 1996-06-14 20:25:48
[Download RAW message or body]
Not Joe kirjoittaa:
> Hello,
>
> I know that it is bad to use the system() system call in programs, especially
> ones that are suid root, and that it can be exploited fairly easily. Could
> somebody post or send me details how exploits based on the system() call work?
> Detail would be good, as I am supposed to explain the security implications
> to my boss at our next meeting.
system(char *str) does following:
fork()s
exec()s '/bin/sh' with argument's '-c' and str
This means:
- All shell's metacharacters are in effect:
; $ \ & ' " [ ] ( ) { } :
> For example if your code is
sprintf(buffer,"telnet %s",host);
system(command);
* Consider what happens if 'host' is:
badname; rm -rf /
- Shells follows environment variables such as
PATH and IFS
* Consider what happens if user
adds '.' to begin of patch and
put script with name 'telnet' to
default directory:
#!/bin/sh
cp /bin/sh my_suid_shell
chmod u+s my_suid_shell
And calls your suid program
* Consider what happens if your code is
sprintf(buffer,"/usr/bin/telnet %s",host);
system(command)
And user adds '/tmp' to $PATH and sets $IFS to " /"
and put script with name 'usr' to
/tmp
And calls your suid program.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic