Faking uids
Is it a security problem that I can trick applications into thinking I'm someone else by using LD_PRELOAD to load a library that overrides getuid and geteuid?
I found this trick to work on a 3rd party application that lets you log in without a password if a username exists in the system that matches the OS's username. This trick however does not work, for example, when using ls trying to see the contents of a folder with permissions 700. So is there a better way for applications to tell who is running them than to trust the value returned from getuid (as it can be overridden)? I'd like to report the problem to the application vendor with a suggested fix. Thanks, ~Eric |
Quote:
Quote:
|
Quote:
|
Quote:
Compile with gcc -o test test.c Code:
#include <stdio.h> Compiles a library overriding getuid and geteuid, puts it in LD_PRELOAD, and then runs a command. Example: ./runas.sh johndoe ./test Code:
#!/bin/bash |
Quote:
I am however, fooling the application and I'm wondering if there is a better way for the application to check the ID rather than just trusting the returned value of getuid. |
Use syscall 24 directly ?
Code:
#include <stdio.h> |
Thanks Cedrik
That worked. I'm assuming this fix is for x86 Linux only?
Is it foolproof? Is there no way to override this syscall? |
yes it's for x86 Linux only.
You could make kernel module to fool syscalls, but it requires root privileges to insert module |
Quote:
It looks like there are routines for attaching to process, debugging it and modifying its memory. |
You could also just run it in a VM. The app can always be fooled by just being able to obtain a copy of it. The OS can't without root/physical access.
Your app really need only trust what the OS/launch environment is telling it. If the binary itself contains some secret and a malicious user gets a copy of it to run so as to trick it to reveal the secret when running, they can also just extract the secret without usual execution. If it's an app that accesses some secret stored elsewhere, it's just a client, and you defer to server-side authentication. |
All times are GMT -5. The time now is 01:30 AM. |