LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-23-2008, 06:25 AM   #1
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Rep: Reputation: 15
Question Security of SUID binaries


Hey all,

I read that SUID (and a bit less SGID) binaries are prime target for local attack.

I understood that when use such kind of binary, the user identity is sitched to the root identity to access some protected part of the system (like the /etc/passwd file, and so on).

But what I don't understand is how these binaries can be attacked ?

/usr/bin/passwd allow me to change the protected /etc/passwd file.

But how can this binary be attacked ?
By giving a very long username to the binary ?

Can someone give me some infos ?

Thanks
 
Old 11-23-2008, 10:53 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by PlatinumX View Post
But what I don't understand is how these binaries can be attacked ?
The same way any non-SUID binaries would be attacked. The difference is that when exploiting a vulnerability on a non-SUID binary, the bad guy would still need to find another way to elevate privileges. If the binary he exploits is SUID, then you eliminated that second step for him.
 
Old 11-23-2008, 04:29 PM   #3
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Quote:
The same way any non-SUID binaries would be attacked
I understand that a network service, listening on a port, can be attacked by receiving a malicious crafted packet.

But I don't see how a local binary can be attacked...

Any clue ?
 
Old 11-24-2008, 01:06 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by PlatinumX View Post
I understand that a network service, listening on a port, can be attacked by receiving a malicious crafted packet.

But I don't see how a local binary can be attacked...

Any clue ?
The most ubiquitous example I think would be the exploitation of buffer overflows.
 
Old 11-24-2008, 01:45 PM   #5
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
I understand buffer overflow when an application listen on a socket and can receive aggressive data.

Locally,...i struggle.

How can you attack an application like ping (which SUID) for ex ?
By giving a malicious crafted argument to ping ?

Thx
 
Old 11-24-2008, 02:23 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by PlatinumX View Post
I understand buffer overflow when an application listen on a socket and can receive aggressive data.

Locally,...i struggle.

How can you attack an application like ping (which SUID) for ex ?
By giving a malicious crafted argument to ping ?
I don't have any specifics about ping for you, but input is input whether it comes from the network or locally. Keep in mind that the buffer overflow exploit was just one example. Simple input sanitizing/validation problems could be enough to let a bad guy wreak havoc on your box using a vulnerable SUID root binary, without the need to do buffer overflowing.

Example: You created an SUID root program for your local users which lets them modify the squid.conf and dnsmasq.conf files by having them open in vi. They execute the command giving the name of the file they wish to edit as an argument. The program is supposed to make sure only those two files are accepted as an argument, but you made a programming mistake and the users are able to make the program open any text file they wish if they just specify a full path. So now the users can take total control of your box thanks to your buggy SUID root program.
 
Old 11-24-2008, 03:16 PM   #7
Poetics
Senior Member
 
Registered: Jun 2003
Location: California
Distribution: Slackware
Posts: 1,181

Rep: Reputation: 49
Not just that, but if someone realizes they are in an elevated vi session, they can just :sh out to the shell and, just like that, they have root access to your entire machine.
 
Old 11-25-2008, 06:29 AM   #8
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Ok, it is clearer.
Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SUID question ddaas Linux - General 3 02-08-2007 06:28 AM
Suid? whishkah Linux - Software 5 09-07-2006 03:17 PM
SUID C function untwisted Programming 10 03-22-2004 08:19 PM
SUID file drops suid bit on append? c_coder Programming 1 03-12-2004 08:59 AM
Security: chmod binaries fr0zen Linux - Security 4 12-30-2003 04:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration