Penetration Testing mailing list archives
Re: question on escalating privileges via suid vulnerabilities
From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 26 Feb 2007 14:08:20 +0100 (ora solare Europa occidentale)
John, On Sat, 24 Feb 2007, John McGuire wrote:
I was curious if anyone knows if new protections have been put in place to prevent spawning root shells from vulnerable applications.
[snip]
When I run the app as a non-root user, I get a /bin/sh prompt with that users perms, not roots. I modified this program a bit to take an argument off the command line and passed it `whoami`. This returned root as the response. /bin/sh however belongs to the lower priv user.
Hrm, this is the expected behaviour. Take a look at the following example:
root@shaolin:/home/raptor# cat >vuln1.c
#include <stdio.h>
int main() {
char *arr[2];
arr[0] = "/bin/sh";
arr[1] = NULL;
execve (arr[0], arr, NULL);
}
root@shaolin:/home/raptor# gcc vuln1.c -o vuln1
root@shaolin:/home/raptor# chmod 4755 vuln1
root@shaolin:/home/raptor# su - raptor
raptor@shaolin:~$ ./vuln1
sh-3.1$ id
uid=1000(raptor) gid=100(users) groups=100(users)
sh-3.1$ exit
exit
raptor@shaolin:~$
root@shaolin:/home/raptor# cat > vuln2.c
#include <stdio.h>
int main() {
char *arr[2];
arr[0] = "/bin/sh";
arr[1] = NULL;
setuid(0); // HERE
execve (arr[0], arr, NULL);
}
root@shaolin:/home/raptor# gcc vuln2.c -o vuln2
root@shaolin:/home/raptor# chmod 4755 vuln2
root@shaolin:/home/raptor# su - raptor
raptor@shaolin:~$ ./vuln2
sh-3.1# id
uid=0(root) gid=100(users) groups=100(users)
sh-3.1# exit
exit
raptor@shaolin:~$
In short, when you execute a file with the setuid bit set, the spawned
process runs with privileges similar to the following:
uid=1000(raptor) gid=100(users) euid=0(root) groups=100(users)Since as a "security measure" bash (and most modern shells, with some notable exceptions) checks if euid != uid and if that's the case drops privileges back to uid, you should explicitly do a setuid(0) before executing the shell.
This is _extremely_ basic knowledge. I encourage you to take a look at the following resources, in case you haven't already:
http://www.0xdeadbeef.info/code/linux-x86-exploits.tgz http://www.0xdeadbeef.info/code/vulndev-exploits.tgz http://www.0xdeadbeef.info/code/abo-exploits.tgz http://www.0xdeadbeef.info/code/fs-exploits.tgzNot very up to date, but still a good starting point for learning, IMHO. And of course man(1) and Google are your friends;)
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- question on escalating privileges via suid vulnerabilities John McGuire (Feb 25)
- Message not available
- Re: question on escalating privileges via suid vulnerabilities John McGuire (Feb 26)
- Message not available
- Re: question on escalating privileges via suid vulnerabilities Christoph Bussenius (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Marco Ivaldi (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Andrea Purificato - bunker (Feb 26)
- Re: question on escalating privileges via suid vulnerabilities Fábio Russo (Feb 28)