dan-bugtraqDILVISH.SPEED.NET

• Next message: Dan Harkless: "Re: SUID wrapper (was Re: (fwd) Re: Format String Attacks)"
• Previous message: Blue Boar: "Re: Win2k Telnet.exe malicious server vulnerability"
• Next in thread: Dan Harkless: "Re: Format String Attacks"
• Maybe reply: Dan Harkless: "Re: Format String Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan Harkless <dan-bugtraqDILVISH.SPEED.NET> writes:
> Dan Harkless <dan-bugtraqDILVISH.SPEED.NET> writes:
> [...]
> > #!/usr/local/bin/perl
> > #
> > # wrap_setid_progs_with_envar_clearer
> [...]
>
> As I mentioned in my last post (assuming Aleph1 ends up approving it), I
> discovered a small problem in the first version of my script. If you had
> multiple setid programs that were hard links to each other
> (e.g. /usr/bin/{uptime,w} on Solaris 2.6), only one of them would get
> wrapped (though all would get defanged due to the nature of hard links).
[...]

Sorry, yet another revision of this script is now available (probably the
last change to be made). This probably isn't necessary anywhere, but just
to be extra-paranoid, I changed the syscall error reporting to just print
the numeric errno rather than trusting strerror() to not do anything bogus.
I also changed the clearing of the environment variable(s) to be done
manually (using main()'s third parameter) rather than trusting putenv().

Since the new version should be functionally identical to the last one, I
won't waste more bandwidth by posting this rev. If you'd like it, you can
get it from:

    http://harkless.org/dan/software/wrap_setid_progs_with_envar_clearer

Well, now that I think about it, let me just post example wrapper code
generated by the latest version of the script, in case anyone might spot any
problems:

#include <errno.h> /* for errno */
#include <stdio.h> /* for fprintf(), etc. */
#include <stdlib.h> /* for EXIT_FAILURE, etc. */
#include <unistd.h> /* for execve() */

#define ABSOLUTE_PATH_OF_WRAPPED_PROGRAM \
        "/etc/lp/alerts/printer.wrapped_due_to_envar_security_hole"

int main(int argc, char** argv, char** envp) {
  char** envp_ptr = envp;

  while (envp_ptr != NULL) {
    char* c;

    if (*envp_ptr == NULL)
      break;

    c = *envp_ptr;

    if (
        *c++ == 'N' &&
        *c++ == 'L' &&
        *c++ == 'S' &&
        *c++ == 'P' &&
        *c++ == 'A' &&
        *c++ == 'T' &&
        *c++ == 'H' &&
        *c++ == '=')
      *c = '\0';

    envp_ptr++;
  }

  if (execve(ABSOLUTE_PATH_OF_WRAPPED_PROGRAM, argv, envp) != 0) {
    fprintf(stderr, "%s (wrapping " ABSOLUTE_PATH_OF_WRAPPED_PROGRAM
            "): execve() failed with errno = %d. Aborting.\n",
            argv[0], errno);

    exit(EXIT_FAILURE);
  }

  return EXIT_FAILURE; /* just here to quiet compiler warning */
}

----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraqdilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.

• Next message: Dan Harkless: "Re: SUID wrapper (was Re: (fwd) Re: Format String Attacks)"
• Previous message: Blue Boar: "Re: Win2k Telnet.exe malicious server vulnerability"
• Next in thread: Dan Harkless: "Re: Format String Attacks"
• Maybe reply: Dan Harkless: "Re: Format String Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]