Re: Format String Attacks

[Doug Hughes <Doug.Hughes () ENG AUBURN EDU>]

Since I don't recall anybody else posting one, here is a simple, generic,
setuid wrapper that people could use around, for instance, /usr/bin/eject
or other setuid programs.

/*
 * This program provided AS IS with no warranty
 * Copyright 2000, doug () eng auburn edu
 * Use freely.
 * The environment from the original program is completely obliviated
 */
#include <stdio.h>
#include <stdlib.h>


main (int argc, char *argv[]) {

        char *origfile;
        char *envp[1] = { (char *) NULL };

        if ((origfile = (char *) malloc(strlen(argv[0])+6)) == NULL) {
                perror("allocating memory");
                exit(1);
        }
        strcpy(origfile, argv[0]);
        strcat(origfile, ".orig");

        execve(origfile, argv, envp);
}


Here's a simplistic shell command (with Perl) to replace all the
setuid binaries by renaming them to $file.orig and then copy the wrapper
into place and set the appropriate permissions on the wrapper and the
.orig binary.


#!/bin/sh

find / -local -perm -4111 -print | /opt/local/bin/perl5 -ne 'chomp(); ($dev, $ino, $mode, $nlink, $uid, $gid) = 
stat($_); rename "$_", "$_.orig"; system("cp /path/to/compiled/wrapper $_"); chmod $mode, $_; chmod 0111, "$_.orig"; 
chown $uid, $gid, $_;'
        


### Caveats ###

This will not work with programs like ps that, on different architectures,
are themselves wrappers around other programs (e.g. on 64 bit Solaris7/8
calls /usr/bin/sparcv9/ps) because argv[0] is still the original program.
So, /usr/bin/ps calls /usr/bin/sparcv9/ps (the setuid program wrapper)
which checks argv and then calls /usr/bin/ps.orig which doesn't exist.

Those will have to be handled on a case by case basis.


 Doug Hughes                            Engineering Network Services
 doug () eng auburn edu                 Auburn University