LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Security of SUID binaries (https://www.linuxquestions.org/questions/linux-security-4/security-of-suid-binaries-685523/)

PlatinumX 11-23-2008 05:25 AM
Security of SUID binaries
 
Hey all,

I read that SUID (and a bit less SGID) binaries are prime target for local attack.

I understood that when use such kind of binary, the user identity is sitched to the root identity to access some protected part of the system (like the /etc/passwd file, and so on).

But what I don't understand is how these binaries can be attacked ?

/usr/bin/passwd allow me to change the protected /etc/passwd file.

But how can this binary be attacked ?
By giving a very long username to the binary ?

Can someone give me some infos ?

Thanks

win32sux 11-23-2008 09:53 AM
Quote:
Originally Posted by PlatinumX (Post 3351725)
But what I don't understand is how these binaries can be attacked ?
The same way any non-SUID binaries would be attacked. The difference is that when exploiting a vulnerability on a non-SUID binary, the bad guy would still need to find another way to elevate privileges. If the binary he exploits is SUID, then you eliminated that second step for him.

PlatinumX 11-23-2008 03:29 PM
Quote:
The same way any non-SUID binaries would be attacked
I understand that a network service, listening on a port, can be attacked by receiving a malicious crafted packet.

But I don't see how a local binary can be attacked...

Any clue ?

win32sux 11-24-2008 12:06 AM
Quote:
Originally Posted by PlatinumX (Post 3352086)
I understand that a network service, listening on a port, can be attacked by receiving a malicious crafted packet.

But I don't see how a local binary can be attacked...

Any clue ?
The most ubiquitous example I think would be the exploitation of buffer overflows.

PlatinumX 11-24-2008 12:45 PM
I understand buffer overflow when an application listen on a socket and can receive aggressive data.

Locally,...i struggle.

How can you attack an application like ping (which SUID) for ex ?
By giving a malicious crafted argument to ping ?

Thx

win32sux 11-24-2008 01:23 PM
Quote:
Originally Posted by PlatinumX (Post 3352984)
I understand buffer overflow when an application listen on a socket and can receive aggressive data.

Locally,...i struggle.

How can you attack an application like ping (which SUID) for ex ?
By giving a malicious crafted argument to ping ?
I don't have any specifics about ping for you, but input is input whether it comes from the network or locally. Keep in mind that the buffer overflow exploit was just one example. Simple input sanitizing/validation problems could be enough to let a bad guy wreak havoc on your box using a vulnerable SUID root binary, without the need to do buffer overflowing.

Example: You created an SUID root program for your local users which lets them modify the squid.conf and dnsmasq.conf files by having them open in vi. They execute the command giving the name of the file they wish to edit as an argument. The program is supposed to make sure only those two files are accepted as an argument, but you made a programming mistake and the users are able to make the program open any text file they wish if they just specify a full path. So now the users can take total control of your box thanks to your buggy SUID root program.

Poetics 11-24-2008 02:16 PM
Not just that, but if someone realizes they are in an elevated vi session, they can just :sh out to the shell and, just like that, they have root access to your entire machine.

PlatinumX 11-25-2008 05:29 AM
Ok, it is clearer.
Thanks


All times are GMT -5. The time now is 06:14 AM.