Bugtraq mailing list archives
Re: trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio)
From: wietse () porcupine org (Wietse Venema)
Date: Wed, 24 Apr 2002 14:17:30 -0400 (EDT)
It is interesting to see that old problems with set-uid commands keep coming back. Allow me to speed up the discussion a bit by enumerating a few other channels for attack on set-uid commands. A quick perusal of /usr/include/sys/proc.h reveals a large number of "inputs" that a child process may inherit from a potentially untrusted parent process. The list includes, but is not limited to: command-line array environment array open files current directory blocked/enabled signals pending timers resource limits scheduling priority All these sources of data can be, and have been, involved in attacks on set-uid or set-gid commands (although I do not remember specific details of pending timer attacks). In addition to these "inheritance" attacks which are specific to set-uid and set-gid commands, set-uid and set-gid commands can be exposed to attacks via the /proc interface, and can be exposed to ordinary data-driven attacks by feeding them nasty inputs. Thus, set-uid and set-gid commands are exposed to a lot more attack types than your average network service. The reason that network attacks get more attention is simply that are more opportunities to exploit them. Wietse
Current thread:
- Re: trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio) Wietse Venema (Apr 24)
- <Possible follow-ups>
- Re: trusting user-supplied data (was Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio) Steven M. Bellovin (Apr 24)