httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 23:45:28 GMT
> At 6:17 PM 6/2/96, Randy Terbush wrote:
> > >   The sucgi wrapper is too simple.
> > >
> > > Hmmm... before things get too heated, I'd better substantiate this
> > > with an example of an attack which, I think, would work with the
> > > sucgi wrapper, even after we tossed in Nathan's "owner == uid to
> > > switch to" check.  On hyperreal, which is a reasonably well-managed
> > > system (as I recall, Satan gave it a completely clean bill of health
> > > the first time Brian ran a check), we find the following:
> > >
> > >   taz-rst {106} ls -l /bin/chmod
> > >   -r-xr-xr-x  1 bin  bin  1520 Feb  3  1995 /bin/chmod
> > >   taz-rst {101} ls -l /bin/cp
> > >   -r-xr-xr-x  1 bin  bin  12288 Feb  3  1995 /bin/cp
> > >   taz-rst {102} ls -l /bin/ls
> > >   -r-xr-xr-x  1 bin  bin  12288 Feb  3  1995 /bin/ls
> > >
> > > So, anybody with who can arrange for the code of their choice to be
> > > run by 'www' (by putting up a non-suid CGI script, putting a trojan
> > > horse in the path of a maintenance script, or any other approach)
> > > can prepare a trojan-horse version of 'ls', and then install it
> > > as follows:
> > >
> > >   sucgi-wrapper bin bin /bin/chmod 0755 /bin/ls
> > >   sucgi-wrapper bin bin /bin/cp cp my-trojan-horse-ls /bin/ls
> > >   sucgi-wrapper bin bin /bin/chmod 0555 /bin/ls
> >
> > No.  sucgi-wrapper will not execute an argv0 with leading slash.
> > Unless you can place a CGI file in a directory owned by bin
> > and make the CGI owned by bin, the server will not execute it.
> > If you are running a "non-suid" CGI script, the server will
> > not use the wrapper.
> 
> The point is that the wrapper is not checking this...

NO. The wrapper IS checking this.

In the above scenario, you need to first become 'www'. One way
to do that is via the server on a server that is running as
something other than 'www'. Adding a check into the wrapper to
prevent switching to 'www' would probably be a good idea as well.

There are additional checks that can be added, but the above
scenario is currently covered.






Mime
View raw message