Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am studying the buffer overflow mechanism, I wrote a test program with buffer overflow vulnerability, setuid this program to root.
I then tried to exploit this program to launch applications with root privilege. If I run a shellcode to launch a normal binary, it really runs as root, but if I tried to launch /bin/bash with buffer overflow, the launched shell can only run under the normal user priviledge. Why? Isn't starting a root shell an important goal for buffer overflow? Many paper said that we can start a root shell, but why I failed?
" Isn't starting a root shell an important goal for buffer overflow?"
No. The opposite is true. The kernel developers put a lot of effort into making sure that a buffer overflow does not allow a user to gain root access. If you manage to use a buffer overflow to gain root access then you should report it as a bug to the kernel developers.
I am researching on the techniques to prevent buffer overflow. But before I can get a reasonable solution, I have to know the details of buffer overflow. That's why I am doing some simulation. The final goal is still to prevent the computer systems.
Also, I believe that the best way to protect a system is to analyze it as deep as possible, not just hide all details.
So, if someone happens to know the answer of my question, please give a hand.
Now, realise it's 2:30 AM, so I could be talking gibberish...
It might be an issue with setuid versus seteuid. The euid context is being kept through the shellcode execution, but being lost via the alternative method you are using. Or something similar. You really cut the details a bit on the fine side, so this could be completely unrelated.
I am not sure what the second post in this thread is talking about, at all.
Originally posted by uskitten [ ... ]
execve("/bin/bash",prog,env);
getchar();
return 0;
[...]
Does the program get to the the getchar and the return statement? I know it is a long shot, but if it does then the execve is failing and you are probably back in your own shell ( that I presume is not a root shell... ).
No. The program did not reach the "getchar()" line. and I did get a new shell. The only trouble is that the new spawned shell is still under my name, not root.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.