Re: nonsuid overflows... still at risk?

[Bela Lubkin <belal () sco COM>]

KF wrote:

> Here are several binaries on SCO that are not suid however seem to have
> classic 
> overflows... I was wondering if these could be exploited due to the fact
> that a number
> of programs calls them. vi pg and more are the binaries in question. 
>
> # SCO_SV frodev 3.2 5.0.6 i386
> #  TERM=`perl -e 'print "A" x 7000'`
> # export TERM
> # vi
> Memory fault - core dumped
> # pg
> Memory fault - core dumped
> # more
> Memory fault - core dumped
>
> Perhaps vi is exploitable via a suid program calling it?

As others have pointed out, if an suid/sgid program calls vi while still
privileged, you do not need a buffer overflow to exploit it!  Just shell
out and have fun.  In fact, with very few exceptions (and those by
deliberate design), if an suid/sgid program execs anything else while
still holding its privileges, it's being stupid (and probably
exploitable).

Yes, the OpenServer versions of those programs [vi, pg, more, and no
doubt many others] have bugs which can be provoked to generate core
dumps.  These bugs are not directly exploitable in the classic sense.
With a typical buffer overflow attack, you could probably cause those
programs to run a shell -- as you.  Might as well just type "/bin/sh".

They're bugs which ought to be fixed, but which are lower priority than
things like obviously exploitable /tmp race conditions, which I'm in the
middle of working through...

In response to another message: OpenServer's `crontab` _is_ setgid (to
group cron), and is not setuid.  This is by deliberate design and should
not be tampered with.  The OpenServer cron package is not related to the
ones typically in use on Linux systems; its security measures are
different.

> Bela<