httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 23:17:27 GMT
>   The sucgi wrapper is too simple.
> Hmmm... before things get too heated, I'd better substantiate this
> with an example of an attack which, I think, would work with the
> sucgi wrapper, even after we tossed in Nathan's "owner == uid to
> switch to" check.  On hyperreal, which is a reasonably well-managed
> system (as I recall, Satan gave it a completely clean bill of health
> the first time Brian ran a check), we find the following:
>   taz-rst {106} ls -l /bin/chmod
>   -r-xr-xr-x  1 bin  bin  1520 Feb  3  1995 /bin/chmod
>   taz-rst {101} ls -l /bin/cp
>   -r-xr-xr-x  1 bin  bin  12288 Feb  3  1995 /bin/cp
>   taz-rst {102} ls -l /bin/ls
>   -r-xr-xr-x  1 bin  bin  12288 Feb  3  1995 /bin/ls
> So, anybody with who can arrange for the code of their choice to be
> run by 'www' (by putting up a non-suid CGI script, putting a trojan
> horse in the path of a maintenance script, or any other approach)
> can prepare a trojan-horse version of 'ls', and then install it
> as follows:
>   sucgi-wrapper bin bin /bin/chmod 0755 /bin/ls
>   sucgi-wrapper bin bin /bin/cp cp my-trojan-horse-ls /bin/ls
>   sucgi-wrapper bin bin /bin/chmod 0555 /bin/ls

No.  sucgi-wrapper will not execute an argv0 with leading slash.
Unless you can place a CGI file in a directory owned by bin
and make the CGI owned by bin, the server will not execute it.
If you are running a "non-suid" CGI script, the server will
not use the wrapper.

View raw message