Re: Administrivia #13471 (exploit non-setuid programs?)

[Crispin Cowan <crispin () WIREX COM>]

Blue Boar wrote:

> I've got a number of additional notes about non setuid programs from the
> same guy awaiting approval.  I realize that these programs may be
> called from web forms and other places that may lead to a compromise.
> My question is, do you people want to see them?  I'll arrange to
> have a single summary note if you do.  It's a question of whether people
> think there's enough value to keep a list of exploitable programs
> about.

I think they are of security interest IFF the buffer overflow is in a file
that the program reads.  This allows the attacker to, in effect, lay a mine
for the root account.  An example of this occurred in my first
vulnerability post to Bugtraq some three years ago, when I discovered that
locate would seg fault if you left a very long path name in the locate DB,
which you could do by creating a very long path name in the file system.
The attack scenario is to lay such a mine, and then wait for root to
execute the command, and poof:  exec code as root.

So, just because something is not suid doesn't mean it's not a
vulnerability.  If you can spoof root into running it with your data (e.g.
drop a funny man page somewhere) then you can attack.

On the other hand, command-line inputs and stdin overflows are not
interesting.  Root won't attack itself knowingly.


> Please respond to me off-list.

I'm guessing this comment is of general interest, so I'm posting to the
list anyway.  But you're the moderator, so do what's best.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org