Does the shared lib bug work on any suid program ?

Bernd.LehleRUS.Uni-Stuttgart.DE

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Casper Dik: "Re: SunOS syslog() fix, finally..."
• Previous message: Justin Mason: "Re: Telnet attack on SGI"
• Next in thread: Fred Blonder: "Re: Does the shared lib bug work on any suid program ?"

Hi there,

after all the fuzz about the telnet/shared lib stuff somebody here came up
with something that might be even more interesting:

What woul hapen in the following case:

- Choose any suid program, that uses a library call, You know the name
- example: su calls crypt(3)
- take the library that contains crypt and delete crypt from it
- add a crypt function that does exec(sh)
- rebuild the shared library with the new cypt
- set the shared library path to Your home
- su

Right after the Password was typed in, You should have a root shell...

This game could be played with any suid program, where You know what routines
it calls.

Or am I missing something ?

I did not try this yet, because I don't know (yet) how to build shared
libraries ...

--
> Bernd Lehle - Stuttgart University Computer Center * A supercomputer <
>       Visualization / SFB 382 / Astrophysics       *  is a machine   <
> lehlerus.uni-stuttgart.de   Tel:+49-711-685-2047  *  that runs an   <
>   http://www.tat.physik.uni-tuebingen.de/~lehle    *  endless loop   <
>  pgp? -> finger berndvisbl.rus.uni-stuttgart.de   *  in 2 seconds   <

• Next message: Casper Dik: "Re: SunOS syslog() fix, finally..."
• Previous message: Justin Mason: "Re: Telnet attack on SGI"
• Next in thread: Fred Blonder: "Re: Does the shared lib bug work on any suid program ?"