Re: Some more MySql security issues

[Tim Yardley <yardley () UIUC EDU>]

At 03:19 PM 2/12/2001, Konrad Rieck wrote:
> A bof is a bof. You are completely right, but as I said and I still believe
> so, most buffer overflows are just bad coding practice. Don't get confused
> by all that hype, there are far more applications with buffer overflows
> in argv that are definitely not security relevant than security relevant
> ones.

Yes, I agree that they are typically bad coding practice... or at least
oversights.  As for security relevance, that is all a matter of context...
but I will leave that cat in the box.

> > lastly, you stated that nothing
> > is gained by overflowing non-suid programs.  that statement is obviously
> > innaccurate.  if you gain ANY uid/gid (etc etc) that is not in your
> > currrent list, you are changing your privledges on the system.  whether or
> > not it is a ROOT compromise is a whole different matter.
>
> Maybe I was expressing a little bit too sloppy, buf if I consider
> applications that are non-suid (so no set-uid occurs), e.g. the mysql

There are still the cases of capabilities, privledges, etc etc.  These
pertain more to TOS's than others, however the TOS movement has expanded
into the standard free unix environment, albeit in limited form.  The point
to make here is that setuid/setgid bits are not the only things that could
cause you to gain something you didnt have before.

A simple theoretical example, say you grant a privledge to a binary such
that it can open a port < 1024, and you do so to eliminate the need to make
the process setuid.  Now, someone overflows a command line argument in that
application such that they sucessfully gain the privledge of binding to a
low port that the application had previously.  Note that I say successfully
due to the fact that a lot of TOS implementations drop privs on exec, so
one would have to be more crafty than that (raw shell image replacement and
execution based on manipulated eip).

Another possibility is a case in which the offensive program is wrapped or
used by another that *IS* privledged.  Or simply a case in which there is
an overflow in a library (which was one off the cases here).  All of these
are bad in varying degrees.

> Maybe you can explain, how I will change my privileges on a system, when
> executing exactly such overflows, I can't see it.

see above.

alas though, this is all a moot point.  all that needs to be said is that
by convention on bugtraq, people associate setuid with setuid(0) and any
other case is referred to as setuid man or setgid man, etc etc.  I was just
clarifying the fact that you must be careful when saying setuid in a forum
that typically associates that with root privs.

/tmy

-- Diving into infinity my consciousness expands in inverse
   proportion to my distance from singularity

+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+
| Tim Yardley (yardley () uiuc edu)
| http://www.students.uiuc.edu/~yardley/
+-------- ------- ------ ----- ---- --- -- --- ------ ------- -------- -
--------------+