On Sun, Mar 06, 2005 at 01:56:43AM +0100, Uwe Hermann wrote:
> a) if the line
> HOME=`perl -e 'print "A" x 1000;'` program
> crashes the program (which most surely hints to a buffer overflow)
> this is only exploitable if 'program' is setuid/setgid?
>
> Are there any other possibilities how this could potentially be
> exploited in case 'program' is _not_ setuid/setgid?
I can't think of any, because as you say you'd need to trick root
into running it with a bogus HOME variable.
If they are careful they would clear their environment as part of
the su process.
> I guess if someone could manage to trick root into running some
> code like the above, he/she can gain root privileges. But
> usually someone with root should be smart enough _not_ to run such
> stuff, I'd say. So are there any more subtle attacks known, e.g. where
> a user can fiddle with the HOME variable of root?
I don't think a normal user should be able to fiddle with another
users HOME, let alone roots.
> Does such a bug justify a DSA, or should I just file a bug-report?
I think just a bug report.
> b) if I can crash an application with
> program --some-switch `perl -e 'print "A" x 1000;'`
> i.e. an overly long command-line switch, I can't do very much damage
> if 'program' is not setuid/setgid, right?
Right.
> What if the application is intended to be run as root (i.e. because
> it needs to bind to a port < 1024)? All I have to do is trick root
> into running the program with the very long command-line switch,
> I guess. Can this realistically be done, so that a normal (non-dumb)
> admin executes this?
I think this is a more interesting case. There have been a few
programs that have had updates for this. Specifically I'm thinking
of htpasswd which was updated, eventually, not because it's run by
root - but because it's often invoked by CGI scripts.
I'm guessing if a command line program that was commonly used in
such a way was buggy that an updated would be made, ping, traceroute,
etc.
Having a program require root privileges to bind a port doesn't
make it more likely to be updated - if as you say it's not setuid to
start with.
In fact they are probably safer than normal processes as they are
typically binding a port to be a daemon - so they will be started
by /etc/init.d/foo and that means the command line is effectively
hardwired.
(Modulo cases where command line parameters come from configuration
files)
Steve
--Received on Sun Mar 06 2005 - 13:14:07 GMT