Security of SUID binaries
Hey all,
I read that SUID (and a bit less SGID) binaries are prime target for local attack. I understood that when use such kind of binary, the user identity is sitched to the root identity to access some protected part of the system (like the /etc/passwd file, and so on). But what I don't understand is how these binaries can be attacked ? /usr/bin/passwd allow me to change the protected /etc/passwd file. But how can this binary be attacked ? By giving a very long username to the binary ? Can someone give me some infos ? Thanks |
Quote:
|
Quote:
But I don't see how a local binary can be attacked... Any clue ? |
Quote:
|
I understand buffer overflow when an application listen on a socket and can receive aggressive data.
Locally,...i struggle. How can you attack an application like ping (which SUID) for ex ? By giving a malicious crafted argument to ping ? Thx |
Quote:
Example: You created an SUID root program for your local users which lets them modify the squid.conf and dnsmasq.conf files by having them open in vi. They execute the command giving the name of the file they wish to edit as an argument. The program is supposed to make sure only those two files are accepted as an argument, but you made a programming mistake and the users are able to make the program open any text file they wish if they just specify a full path. So now the users can take total control of your box thanks to your buggy SUID root program. |
Not just that, but if someone realizes they are in an elevated vi session, they can just :sh out to the shell and, just like that, they have root access to your entire machine.
|
Ok, it is clearer.
Thanks |
All times are GMT -5. The time now is 06:14 AM. |