question on escalating privileges via suid vulnerabilities

From: John McGuire (jmcguire81@gmail.com)
Date: Sat Feb 24 2007 - 13:52:49 EST


I was curious if anyone knows if new protections have been put in
place to prevent spawning root shells from vulnerable applications. I
have recently started learning about stack based exploits and have
bumped into an issue that I'm not sure what the culprit is. When
overflowing a simple test application, the shell being spawned belongs
to the local user I am running as, not to root as the program is
suid'd to. I created a small C program to
demonstrate:

#include <stdio.h>
int main() {
       char *arr[2];
       arr[0] = "/bin/sh";
       arr[1] = NULL;
       execve (arr[0], arr, NULL);
}

This gets compiled and perms set:

gcc vuln.c -o vuln
chown root vuln
chmod 4755 vuln

When I run the app as a non-root user, I get a /bin/sh prompt with
that users perms, not roots. I modified this program a bit to take an
argument off the command line and passed it `whoami`. This returned
root as the response. /bin/sh however belongs to the lower priv user.

Is this caused by a change to all the shells to prevent this kind of
thing and docs just haven't caught up? I bumped into that already with
stack randomization being on by default in 2.6 kernels, so that
wouldn't be too surprising. If this is the case, anyone know any
decent docs to start pointing the way getting around this?

Thanks
John McGuire

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:36 EDT