Bugtraq mailing list archives
suid_exec problem clarification
From: volobuev () t1 chem umn edu (Yuri Volobuev)
Date: Thu, 5 Dec 1996 18:52:54 -0600
Howdy, Few people helped me to find out what suid_exec does, thank you guys. It is part of ksh in it's original variant, and it is used internally by ksh to execute suid shell scripts, thus trying to do it an a secure way, supposedly eliminating possibilty of symlinks and race condition attacks. ksh has its internal hooks for suid_exec, that's why it looks in argv[0] for command path. suid_exec checks ownership of the file from argv[0] and compares them with ownership of /etc/suid_exec, and if they match, bypasses setreuid() call. If they don't, uid and gid are set to that of the file in argv[0]. Then it takes name of the shell from $SHELL and checks it for validity. It should be in one of the trusted dirs (/bin, /usr/bin and /usr/lbin) and the name of the shell should end with "sh". If name doesn't match, /bin/sh is invoked. If tcsh or similar shell that does initialization and uses user's dot files is present in any of the trusted dirs, suid_exec can be trivially exploited. Another potentially exploitable vulnerability lies in the way particular shell deals with the file parsing. /bin/sh on Irix, for example, honestly tries to parse ELF binary, gets the filename, something like ^AELF^A^B^^A and looks for a file with this name in PATH. It doesn't execute such a file even if it's found, because of parsing error, ELF binary doesn't exactly follow ksh scripts syntax, but some other shell may behave differently. So the problem is not limited to Irix only, but can exist in any OS that has original ksh and assosiated utilities. If no changes were made from original version and the above conditions for shells are met, system is vulnerable. Check you system. If you find suid_exec on your machine, remove suid bit from it. (unless you badly need to execute suid ksh scripts. But if you do that, security probably isn't important to you anyway). cheers, yuri Always speaking for myself and only for myself
Current thread:
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Terrell Thacker (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 05)
- SGI Security Advisory 19961201-01-PX - Desktop searchbook Program SGI Security Coordinator (Dec 05)
- suid_exec problem clarification Yuri Volobuev (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Nikolai Matyushenko (Dec 06)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 06)
- New INN security problems Chris Timmons (Dec 06)
- suid_exec Javier Romeu (Dec 06)
- <Possible follow-ups>
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Kevin L Prigge (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul Ashton (Dec 06)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Casper Dik (Dec 06)