Bugtraq mailing list archives
Re: system() call in suid programs
From: Kari.Hurtta () dionysos fmi fi (Kari E. Hurtta)
Date: Fri, 14 Jun 1996 20:25:48 +0300
Not Joe kirjoittaa:
Hello, I know that it is bad to use the system() system call in programs, especially ones that are suid root, and that it can be exploited fairly easily. Could somebody post or send me details how exploits based on the system() call work? Detail would be good, as I am supposed to explain the security implications to my boss at our next meeting.
system(char *str) does following: fork()s exec()s '/bin/sh' with argument's '-c' and str This means: - All shell's metacharacters are in effect: ; $ \ & ' " [ ] ( ) { } : > For example if your code is sprintf(buffer,"telnet %s",host); system(command); * Consider what happens if 'host' is: badname; rm -rf / - Shells follows environment variables such as PATH and IFS * Consider what happens if user adds '.' to begin of patch and put script with name 'telnet' to default directory: #!/bin/sh cp /bin/sh my_suid_shell chmod u+s my_suid_shell And calls your suid program * Consider what happens if your code is sprintf(buffer,"/usr/bin/telnet %s",host); system(command) And user adds '/tmp' to $PATH and sets $IFS to " /" and put script with name 'usr' to /tmp And calls your suid program.
Current thread:
- Publically writable directories, (continued)
- Publically writable directories Thomas Koenig (Jun 16)
- Re: Publically writable directories Neil Soveran-Charley (Jun 16)
- Re: Publically writable directories Brian Mitchell (Jun 17)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: Publically writable directories Bill Pemberton (Jun 18)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: Publically writable directories Bill Pemberton (Jun 17)
- Re: Publically writable directories David DeSimone (Jun 17)
- Re: Publically writable directories Valdis.Kletnieks () vt edu (Jun 17)
- Re: Publically writable directories Michael Dilger (Jun 17)