Bugtraq mailing list archives
Re: Some more MySql security issues
From: Tim Yardley <yardley () UIUC EDU>
Date: Tue, 13 Feb 2001 12:49:51 -0600
At 03:19 PM 2/12/2001, Konrad Rieck wrote:
A bof is a bof. You are completely right, but as I said and I still believe so, most buffer overflows are just bad coding practice. Don't get confused by all that hype, there are far more applications with buffer overflows in argv that are definitely not security relevant than security relevant ones.
Yes, I agree that they are typically bad coding practice... or at least oversights. As for security relevance, that is all a matter of context... but I will leave that cat in the box.
> lastly, you stated that nothing > is gained by overflowing non-suid programs. that statement is obviously > innaccurate. if you gain ANY uid/gid (etc etc) that is not in your > currrent list, you are changing your privledges on the system. whether or > not it is a ROOT compromise is a whole different matter. Maybe I was expressing a little bit too sloppy, buf if I consider applications that are non-suid (so no set-uid occurs), e.g. the mysql
There are still the cases of capabilities, privledges, etc etc. These pertain more to TOS's than others, however the TOS movement has expanded into the standard free unix environment, albeit in limited form. The point to make here is that setuid/setgid bits are not the only things that could cause you to gain something you didnt have before. A simple theoretical example, say you grant a privledge to a binary such that it can open a port < 1024, and you do so to eliminate the need to make the process setuid. Now, someone overflows a command line argument in that application such that they sucessfully gain the privledge of binding to a low port that the application had previously. Note that I say successfully due to the fact that a lot of TOS implementations drop privs on exec, so one would have to be more crafty than that (raw shell image replacement and execution based on manipulated eip). Another possibility is a case in which the offensive program is wrapped or used by another that *IS* privledged. Or simply a case in which there is an overflow in a library (which was one off the cases here). All of these are bad in varying degrees.
Maybe you can explain, how I will change my privileges on a system, when executing exactly such overflows, I can't see it.
see above. alas though, this is all a moot point. all that needs to be said is that by convention on bugtraq, people associate setuid with setuid(0) and any other case is referred to as setuid man or setgid man, etc etc. I was just clarifying the fact that you must be careful when saying setuid in a forum that typically associates that with root privs. /tmy -- Diving into infinity my consciousness expands in inverse proportion to my distance from singularity +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- - --------------+ | Tim Yardley (yardley () uiuc edu) | http://www.students.uiuc.edu/~yardley/ +-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- - --------------+
Current thread:
- Some more MySql security issues Joao Gouveia (Feb 10)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Joao Gouveia (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Peter van Dijk (Feb 12)
- Re: Some more MySql security issues Carsten H. Pedersen (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Theodor Milkov (Feb 12)
- <Possible follow-ups>
- Re: Some more MySql security issues Hector A.Paterno (Feb 13)