httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <nn...@umr.edu>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 23:34:16 GMT
At 6:17 PM 6/2/96, Randy Terbush wrote:
> >   The sucgi wrapper is too simple.
> >
> > Hmmm... before things get too heated, I'd better substantiate this
> > with an example of an attack which, I think, would work with the
> > sucgi wrapper, even after we tossed in Nathan's "owner == uid to
> > switch to" check.  On hyperreal, which is a reasonably well-managed
> > system (as I recall, Satan gave it a completely clean bill of health
> > the first time Brian ran a check), we find the following:
> >
> >   taz-rst {106} ls -l /bin/chmod
> >   -r-xr-xr-x  1 bin  bin  1520 Feb  3  1995 /bin/chmod
> >   taz-rst {101} ls -l /bin/cp
> >   -r-xr-xr-x  1 bin  bin  12288 Feb  3  1995 /bin/cp
> >   taz-rst {102} ls -l /bin/ls
> >   -r-xr-xr-x  1 bin  bin  12288 Feb  3  1995 /bin/ls
> >
> > So, anybody with who can arrange for the code of their choice to be
> > run by 'www' (by putting up a non-suid CGI script, putting a trojan
> > horse in the path of a maintenance script, or any other approach)
> > can prepare a trojan-horse version of 'ls', and then install it
> > as follows:
> >
> >   sucgi-wrapper bin bin /bin/chmod 0755 /bin/ls
> >   sucgi-wrapper bin bin /bin/cp cp my-trojan-horse-ls /bin/ls
> >   sucgi-wrapper bin bin /bin/chmod 0555 /bin/ls
>
> No.  sucgi-wrapper will not execute an argv0 with leading slash.
> Unless you can place a CGI file in a directory owned by bin
> and make the CGI owned by bin, the server will not execute it.
> If you are running a "non-suid" CGI script, the server will
> not use the wrapper.

The point is that the wrapper is not checking this...

The wrapper is trusting the apache modules checks - which is fine if you
can assure that the wrapper got called from the apache module...

But you can't guarantee that.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                  Univ. of Missouri - Rolla
EMail: nneul@umr.edu                  Computing Services
WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org



Mime
View raw message