Penetration Testing mailing list archives
question on escalating privileges via suid vulnerabilities
From: "John McGuire" <jmcguire81 () gmail com>
Date: Sat, 24 Feb 2007 11:52:49 -0700
I was curious if anyone knows if new protections have been put in place to prevent spawning root shells from vulnerable applications. I have recently started learning about stack based exploits and have bumped into an issue that I'm not sure what the culprit is. When overflowing a simple test application, the shell being spawned belongs to the local user I am running as, not to root as the program is suid'd to. I created a small C program to demonstrate: #include <stdio.h> int main() { char *arr[2]; arr[0] = "/bin/sh"; arr[1] = NULL; execve (arr[0], arr, NULL); } This gets compiled and perms set: gcc vuln.c -o vuln chown root vuln chmod 4755 vuln When I run the app as a non-root user, I get a /bin/sh prompt with that users perms, not roots. I modified this program a bit to take an argument off the command line and passed it `whoami`. This returned root as the response. /bin/sh however belongs to the lower priv user. Is this caused by a change to all the shells to prevent this kind of thing and docs just haven't caught up? I bumped into that already with stack randomization being on by default in 2.6 kernels, so that wouldn't be too surprising. If this is the case, anyone know any decent docs to start pointing the way getting around this? Thanks John McGuire ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- question on escalating privileges via suid vulnerabilities John McGuire (Feb 25)
- Message not available
- Re: question on escalating privileges via suid vulnerabilities John McGuire (Feb 26)
- Message not available
- Re: question on escalating privileges via suid vulnerabilities Christoph Bussenius (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Marco Ivaldi (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Andrea Purificato - bunker (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Fábio Russo (Feb 28)