Vulnerability Development mailing list archives
Re: Administrivia #13471 (exploit non-setuid programs?)
From: Crispin Cowan <crispin () WIREX COM>
Date: Tue, 13 Feb 2001 22:31:00 -0800
Blue Boar wrote:
I've got a number of additional notes about non setuid programs from the same guy awaiting approval. I realize that these programs may be called from web forms and other places that may lead to a compromise. My question is, do you people want to see them? I'll arrange to have a single summary note if you do. It's a question of whether people think there's enough value to keep a list of exploitable programs about.
I think they are of security interest IFF the buffer overflow is in a file that the program reads. This allows the attacker to, in effect, lay a mine for the root account. An example of this occurred in my first vulnerability post to Bugtraq some three years ago, when I discovered that locate would seg fault if you left a very long path name in the locate DB, which you could do by creating a very long path name in the file system. The attack scenario is to lay such a mine, and then wait for root to execute the command, and poof: exec code as root. So, just because something is not suid doesn't mean it's not a vulnerability. If you can spoof root into running it with your data (e.g. drop a funny man page somewhere) then you can attack. On the other hand, command-line inputs and stdin overflows are not interesting. Root won't attack itself knowingly.
Please respond to me off-list.
I'm guessing this comment is of general interest, so I'm posting to the list anyway. But you're the moderator, so do what's best. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Administrivia #13471 (exploit non-setuid programs?) Blue Boar (Feb 13)
- Re: Administrivia #13471 (exploit non-setuid programs?) Crispin Cowan (Feb 19)