Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_1

Bugtraq archives for 1st quarter (Jan-Mar) 1995: Re: SUID shell scripts, questions?

Re: SUID shell scripts, questions?

Carson Gaspar (carsonlehman.com)
Sat, 11 Feb 1995 18:38:00 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Robert M. Haas: "Re: Solaris 2.3 ndd bug"
Previous message: Dow Summers: "Solaris 2.3-2.4 Audit Bug"
In reply to: Greg Woods: "Re: SUID shell scripts, questions?"
Next in thread: Fred Blonder: "Re: SUID shell scripts, questions?"

On Fri, 10 Feb 1995, Greg Woods wrote:

> Or you can just create a symlink to a setuid script called "-i". Guess
> what happens when the system executes "sh -i"? Don't even need the
> race condition. And even without this, you could always overwrite the
> SAME file with something new, so the fd doesn't change.

Attack #1 (symlink -i) fails under solaris.  The shell is invoked as:
/bin/sh /dev/fd/xxx

Attack #2 is only possible if you're dumb enough to leave a setuid 
program world-writeable.

--
Carson Gaspar -- carsoncs.columbia.edu carsonlehman.com
<This is the boring business .sig - no outre sayings here>

Next message: Robert M. Haas: "Re: Solaris 2.3 ndd bug"
Previous message: Dow Summers: "Solaris 2.3-2.4 Audit Bug"
In reply to: Greg Woods: "Re: SUID shell scripts, questions?"
Next in thread: Fred Blonder: "Re: SUID shell scripts, questions?"