[SOLVED] suid bit on executable wont spawn a shell
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've trying to understand the concept of buffer overflows and I tried to understand how the shellcode is executed. To start simple I've created the following program
I would expect when I run this as a regular user I get a root shell. What happens is that a shell with my user is spawned. On the other hand when I compile this code
compile it, and set the owner and permissions as in the example above i get as output
Code:
Real UID = 1001
Effective UID = 0
Real GID = 100
Effective GID = 100
so it looks like there is some mechanism (in the kernel?) which prevents a suid program from executing a root shell. Is there any way to "switch" this off? I've learned for example that ASLR can be switched off with
so it looks like there is some mechanism (in the kernel?) which prevents a suid program from executing a root shell.
Yes, there is. I was looking into this a few months back and ran into similar "problems" and discovered that there are more security mechanism built into setuid than just setting the bit and changing the ownership to root. I apologize, but it has been too long since I worked on it to recall the exact details, but if you do a google search for setuid tutorials you should find the references which will show you how to make it work.
/bin/sh is typically a link to /bin/bash. For a while now, bash will always switch to real user-id. If you add a call in your shell example:
Code:
setuid(0);
You should find that it works as expected. NOTE: this is because of how setuid behaves when euid = 0. As a confirmation, change the setuid sticky bit on your bash shell and watch what happens :P
One additional thing to note is that this helps to enforce the mindset of "don't use setuid scripts." There are many reasons why we want to avoid them, not the least of which is because people can find TONS of ways to inject execution into your setuid script without you even knowing it.
Jazzmo, would you please elaborate on your approach. I don't mean to offend, but modifying the bash source code without performing some serious regression testing might be a really good way to open up some vulnerabilities.
I might also suggest that you take a look at this link: http://www.tuxation.com/setuid-on-shell-scripts.html
I am reasonably certain that it is the one that I used when I was experimenting with setuid and had the same problem that I think you are running into.
Jazzmo, would you please elaborate on your approach. I don't mean to offend, but modifying the bash source code without performing some serious regression testing might be a really good way to open up some vulnerabilities.
I might also suggest that you take a look at this link: http://www.tuxation.com/setuid-on-shell-scripts.html
I am reasonably certain that it is the one that I used when I was experimenting with setuid and had the same problem that I think you are running into.
Hi Noway2,
as I wrote in the beginning, i'm experimenting with buffer overflows. Mostly they spawn a shell. I didn't understand how someone would get a root shell by exploiting a setuid executable. Now I understand that the shell itself prevents this, so the shellcode must do something different. If the process is run by root the exploit would result in a root shell. Of course I wouldn't weaken the security of my productive systems this way, although I also learned that this could be a simple backdoor too.
If you want to experiment and learn, try http://roothack.org/games/sirens/info first server is too simple, just privilege scalation. Sencond server is the interesting one, there you have to do buffer overflows, use string vulnerabilities and so on. I learnt a lot there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.