suid_exec problem clarification

[volobuev () t1 chem umn edu (Yuri Volobuev)]

Howdy,

Few people helped me to find out what suid_exec does, thank you guys.

It is part of ksh in it's original variant, and it is used internally by ksh
to execute suid shell scripts, thus trying to do it an a secure way,
supposedly eliminating possibilty of symlinks and race condition attacks.
ksh has its internal hooks for suid_exec, that's why it looks in argv[0] for
command path.

suid_exec checks ownership of the file from argv[0] and compares them with
ownership of /etc/suid_exec, and if they match, bypasses setreuid() call.
If they don't, uid and gid are set to that of the file in argv[0].  Then it
takes name of the shell from $SHELL and checks it for validity.  It should
be in one of the trusted dirs (/bin, /usr/bin and /usr/lbin) and the name of
the shell should end with "sh".  If name doesn't match, /bin/sh is invoked.

If tcsh or similar shell that does initialization and uses user's dot files
is present in any of the trusted dirs, suid_exec can be trivially exploited.

Another potentially exploitable vulnerability lies in the way particular
shell deals with the file parsing.  /bin/sh on Irix, for example, honestly
tries to parse ELF binary, gets the filename, something like ^AELF^A^B^^A
and looks for a file with this name in PATH.  It doesn't execute such a file
even if it's found, because of parsing error, ELF binary doesn't exactly
follow ksh scripts syntax, but some other shell may behave differently.

So the problem is not limited to Irix only, but can exist in any OS that has
original ksh and assosiated utilities.  If no changes were made from
original version and the above conditions for shells are met, system is
vulnerable.  Check you system.  If you find suid_exec on your machine,
remove suid bit from it. (unless you badly need to execute suid ksh scripts.
But if you do that, security probably isn't important to you anyway).

cheers,

yuri
Always speaking for myself and only for myself