Vulnerability Development mailing list archives
Re: nonsuid overflows... still at risk?
From: Bela Lubkin <belal () sco COM>
Date: Thu, 7 Jun 2001 16:56:17 -0700
KF wrote:
Here are several binaries on SCO that are not suid however seem to have classic overflows... I was wondering if these could be exploited due to the fact that a number of programs calls them. vi pg and more are the binaries in question. # SCO_SV frodev 3.2 5.0.6 i386 # TERM=`perl -e 'print "A" x 7000'` # export TERM # vi Memory fault - core dumped # pg Memory fault - core dumped # more Memory fault - core dumped Perhaps vi is exploitable via a suid program calling it?
As others have pointed out, if an suid/sgid program calls vi while still privileged, you do not need a buffer overflow to exploit it! Just shell out and have fun. In fact, with very few exceptions (and those by deliberate design), if an suid/sgid program execs anything else while still holding its privileges, it's being stupid (and probably exploitable). Yes, the OpenServer versions of those programs [vi, pg, more, and no doubt many others] have bugs which can be provoked to generate core dumps. These bugs are not directly exploitable in the classic sense. With a typical buffer overflow attack, you could probably cause those programs to run a shell -- as you. Might as well just type "/bin/sh". They're bugs which ought to be fixed, but which are lower priority than things like obviously exploitable /tmp race conditions, which I'm in the middle of working through... In response to another message: OpenServer's `crontab` _is_ setgid (to group cron), and is not setuid. This is by deliberate design and should not be tampered with. The OpenServer cron package is not related to the ones typically in use on Linux systems; its security measures are different.
Bela<
Current thread:
- Re: TCSH problems?, (continued)
- Re: TCSH problems? sean (Jun 07)
- Re: TCSH problems? poke (Jun 07)
- Re: nonsuid overflows... still at risk? Andrew R. Reiter (Jun 06)
- Re: nonsuid overflows... still at risk? Michal Zalewski (Jun 06)
- Re: nonsuid overflows... still at risk? KF (Jun 06)
- Re: nonsuid overflows... still at risk? Michal Zalewski (Jun 06)
- Re: nonsuid overflows... still at risk? KF (Jun 06)
- crontab and sgid (was: nonsuid overflows... still at risk?) Tomasz Grabowski (Jun 07)
- Re: crontab and sgid (was: nonsuid overflows... still at risk?) Olaf Kirch (Jun 08)
- Re: crontab and sgid (was: nonsuid overflows... still at risk?) Rafal Wojtczuk (Jun 09)
- Re: nonsuid overflows... still at risk? KF (Jun 06)