navawatanasob |
09-16-2004 11:20 PM |
suid peculiarities
After reading up on memory segmentation and C programming for a while now, I've finally gotten to the point where I can start writing my own programs in C and fool around with buffer overflows. Last night I started playing around with exploiting vulnerable suid C programs, and interestingly, I found that the suid bit I thought I knew so much about was actually more complicated then I thought. Setting /bin/bash to suid root and running it didn't change the euid, which was initially mind-boggling to me. After some research, I realized that this was because since version 2.0, bash drops the euid/uid privileges. This was interesting, but more interesting (actually becoming annoying) to me were the following findings.
After succesfully writing a C program vulnerable to a simple buffer overflow and an exploit program to go along with, I started testing. For fear that an attacker would use my research to root my machine, I made a new user "woot" on my box, so I could play around with suid programs without actually leaving my box vulnerable. I chowned the vulnerable program to woot:users and set the suid bit, but running my exploit didn't change my euid or uid at all! I thought it might have something to do with the shellcode dropping privileges (I didn't write the shellcode -- copied it out of a book), but this turned out to be false. After chowning the vulnerable program to root:root and setting the suid bit, I ran my exploit and I became root. I don't understand what's going on. When the vulnerable programe is suid root, I run the exploit and become root, but when it is suid any other user, I don't become the other user. Can anyone explain what's going on here??? Thanks in advance, and sorry if there's a repeat thread somewhere -- I couldn't find one.
|