A security hole
Troy Rollo
avenger at runx.ips.oz
Tue Apr 5 20:15:48 AEST 1988
>.
>.drwxrwxr-x 21 jc wheel 2560 Mar 24 08:30 .
>.-rw-r--r-- 2 jc wheel 250 Jan 29 14:53 .login
>.
>.And here's the rnews command:
>.
>.22531 -rwsr-sr-x 2 news news 114688 Mar 17 13:33 /news/bin/rnews
>.
>.Explain to me how someone could use this setuid-news, setgid-news program
>.to write into my .login file. Now need to explain further; I do appreciate
>.why I wouldn't want you to do that. But I don't quite see how this setup
>.makes it possible.
>
>It is not possible for someone to *directly* abuse this to write to your
>(uid=jc, gid=wheel) .login file. However, someone may be able to abuse
>rnews and become uid=news, gid=news. They would then have access to all of
>news's files. This is where the security break is.
Once a user has broken through the news uid and gid they can
modify rnews. The hacker copies the genuine version to another
place, then creates his own program which sets its effective
user and group IDs back to the real user and group IDs. The
program then creates a new file on another directory under your
uid and gid with the mode 6777 (setuid, setgid, rwx for all).
Later another program can be copied over it. Alternatively that
program can be placed in the file by the bogus rnews.
The new rnews then goes on to execute the real rnews, so the
person who runs rnews will be completely unaware of what
has happened.
Voila... the hacker has your user and group IDs
and can modify your .login or anything else.
BTW. I have broken through news programs with setuid
and setgid on two occasions, which illustrates the
fact that it is difficult to be certain about any
setuid, setgid program.
----------------------------------------------------------------
Internet: avenger at runx.ips.oz.au Founder of the League of
UUCP: uunet!runx.ips.oz.au!avenger Computer Criminals
More information about the Comp.bugs.sys5
mailing list