Vulnerability Development mailing list archives
Re: core dump on mingetty and getty
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 3 Dec 2001 17:20:33 -0500 (EST)
On Mon, 3 Dec 2001, KF wrote:
Why do we care... because I am joe schmoe_cant_code_a_lick_of_c and I make retarded mistakes in my code. (Stupid examples follow). [...] setuid(0); setgid(0); runme[0] = argv[1]; runme[1] = 0; execve("/sbin/getty", runme, 0); [...] For that matter...m4 is a userland non-privileged level program ... yet it led to a man exploit. Flames > /dev/null ... comments welcome.
If one codes something like that: setuid(0); setgid(0); snprintf(buf,sizeof(buf),"vi /some/dir/%s",argv[1]); system(buf); ...this obviously can be exploited to edit /etc/passwd, but is this a problem in vi? Would you like to see posts like that on VULN-DEV? Where to draw the line between what is a "feature" and a "vulnerability" in programs that are, after all, not really supposed to apply such checks? Mingetty, pine, or any other program that is not designed to run in a hostile environment should not be expected to implement security checks without a reason - at best, segfaulting after 3984 AAAs might be a functionality problem, not a security hole. As soon as unprivileged code is used in a stupid and irresponsible way ('man' is one of best examples how things shouldn't be written), this is a problem. This is a problem even if there is no buffer overflow in m4 - it is sufficient for m4 to accept some environment variables or extra parameters that make it do more than the author of our privileged application expected - and all this is still a part of designed m4 functionality! We really should not blame the author of this unprivileged code - no matter if it is m4 or mingetty, no matter if it segfaults or simply accepts OUTPUT_FILE environment variable. We should not start pointless and endless threads about it (I am not talking about certain types of vulnerabilities in unprivileged code - namely, all cases of faulty interaction with a hostile environment, such as the net, /tmp directory, process table, etc). But we certainly should start discussing all cases where a privileged code uses unprivileged software in potentially dangerous way. As this is VULN-DEV, we can start doing it before we know whether it has any negative effects or not. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- Re: core dump on mingetty and getty KF (Dec 03)
- Re: core dump on mingetty and getty Michal Zalewski (Dec 03)
- uugetty mgetty also... KF (Dec 03)
- Re: uugetty mgetty also... Andrew Sharpe (Dec 03)
- Re: uugetty mgetty also... Rodrigo Barbosa (Dec 04)
- Message not available
- Re: uugetty mgetty also... Rodrigo Barbosa (Dec 05)
- sadc Segmentation Fault smackenz (Dec 03)