This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --1656955146-1932165182-896423360=:5162 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi traqers of bugs ! Here is my first patch for Linux. Its purpose is to stop some exploits based on using SUID bit. For better protection it should be combined with Solar Designer's one (but it could work independently too). It doesn't make writing exploits impossible, but at least a bit tougher. I have tested it on my computer, but it is possible that it won't work in some cases. How does it work - for each process it stores a new uid (I have choosen a name RUID = Real UID). Purpose of RUID is to keep track of who is real owner of this process (it is inherited from parent process and changed only when root's process runs process under different EUID). When process tries to spawn (fork/exec) process under EUID!=RUID and it is not originally root's process (RUID==0), it is reported to console and EUID is forced to RUID. Of course, sometimes it is required for process to spawn something under different EUID (example is 'su'). I needed to somehow mark programs that are allowed to spawn under different EUID. For this purpose I have choosen new bit (thus it cannot be marked by chmod). So, programs marked in this way CAN spawn programs under different UID. Explanation how it works on exploits. Ex, standard old exploit by Solar D. (the one using NLSPATH on "/bin/su"): 1) user (hacker) COOLER runs program a.out 2) process a.out gets ruid=(uid of COOLER) 3) process a.out prepares what it needs (set variable,...) 4) it runs process '/bin/su' 5) process 'su' gets RUID=(uid of COOLER) and EUID=0 6) something happens (exploit code gets control) 7) it does 'setuid(0)' to set its *UID=0 8) when trying to 'exec("/bin/sh"...)', my code checks if it can do so (variable 'secure' is used to). If not, message is sent to console and EUID=(uid of COOLER). values of secure: 0 = unsecure program 1 = secure program 2 = program that isn't secure, but was runned by secure program. This isn't used in present version of patch, but probably will be used in some future. There are some other things that this patch should do. To mark secure programs, I needed to use some technique. At this moment I use the S_ISVTX (+t bit), but I have another idea - use new bit. Problem is that in standard inode attributes is no free space :) So I decided to use inode->flags, but I still don't know how is it possible to set flags :) Many other ideas will be implemented in next version of this patch. Of course, this patch is not absolutely proof. Here are two ways of bypassing the exploit 1) hacker doesn't need to exec anything (he can do everything in the exploit code. ex, write something to passwd/shadow,..., because at that moment it runs under EUID=0). programs that require marking using my patch to work properly: /bin/su possibly some programs (xterm,...) from X11 package, but I haven't found and problems without this bit. Hope this patch will help :) g00bER =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Name: Peter Kosinar Work :) student and 'co-admin' of school Novell and Linux server E-Mail: gooberat_private (preferred) gooberat_private URL: http://www.gjh.schools.sk/~goober (under reconstruction now) Interests: crypto, [anti]virus, bugs --1656955146-1932165182-896423360=:5162 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=seww2 Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.96.980529082920.5162Bat_private> Content-Description: KioqIGluY2x1ZGUvbGludXgvZnMuaC5vbGQJVGh1IE1heSAyOCAyMDo1Nzow MSAxOTk4DQotLS0gaW5jbHVkZS9saW51eC9mcy5oCVRodSBNYXkgMjggMjA6 NTk6NTcgMTk5OA0KKioqKioqKioqKioqKioqDQoqKiogNzAsNzkgKioqKg0K LS0tIDcwLDgwIC0tLS0NCiAgI2RlZmluZSBNU19TWU5DSFJPTk9VUwkxNgkv KiBXcml0ZXMgYXJlIHN5bmNlZCBhdCBvbmNlICovDQogICNkZWZpbmUgTVNf UkVNT1VOVAkzMgkvKiBBbHRlciBmbGFncyBvZiBhIG1vdW50ZWQgRlMgKi8N CiAgI2RlZmluZSBTX1dSSVRFCQkxMjgJLyogV3JpdGUgb24gZmlsZS9kaXJl Y3Rvcnkvc3ltbGluayAqLw0KICAjZGVmaW5lIFNfQVBQRU5ECTI1NgkvKiBB cHBlbmQtb25seSBmaWxlICovDQogICNkZWZpbmUgU19JTU1VVEFCTEUJNTEy CS8qIEltbXV0YWJsZSBmaWxlICovDQorICNkZWZpbmUgU19TRUNVUkUJMTAy NAkvKiBTZWN1cmUgZmlsZSAqLw0KICANCiAgLyoNCiAgICogRmxhZ3MgdGhh dCBjYW4gYmUgYWx0ZXJlZCBieSBNU19SRU1PVU5UDQogICAqLw0KICAjZGVm aW5lIE1TX1JNVF9NQVNLIChNU19SRE9OTFkpDQoqKioqKioqKioqKioqKioN CioqKiA5OSwxMDggKioqKg0KLS0tIDEwMCwxMTAgLS0tLQ0KICAjZGVmaW5l IElTX1NZTkMoaW5vZGUpICgoaW5vZGUpLT5pX2ZsYWdzICYgTVNfU1lOQ0hS T05PVVMpDQogIA0KICAjZGVmaW5lIElTX1dSSVRBQkxFKGlub2RlKSAoKGlu b2RlKS0+aV9mbGFncyAmIFNfV1JJVEUpDQogICNkZWZpbmUgSVNfQVBQRU5E KGlub2RlKSAoKGlub2RlKS0+aV9mbGFncyAmIFNfQVBQRU5EKQ0KICAjZGVm aW5lIElTX0lNTVVUQUJMRShpbm9kZSkgKChpbm9kZSktPmlfZmxhZ3MgJiBT X0lNTVVUQUJMRSkNCisgI2RlZmluZSBJU19TRUNVUkUoaW5vZGUpICgoaW5v ZGUtPmlfZmxhZ3MgJiBTX1NFQ1VSRSkNCiAgDQogIC8qIHRoZSByZWFkLW9u bHkgc3R1ZmYgZG9lc24ndCByZWFsbHkgYmVsb25nIGhlcmUsIGJ1dCBhbnkg b3RoZXIgcGxhY2UgaXMNCiAgICAgcHJvYmFibHkgYXMgYmFkIGFuZCBJIGRv bid0IHdhbnQgdG8gY3JlYXRlIHlldCBhbm90aGVyIGluY2x1ZGUgZmlsZS4g Ki8NCiAgDQogICNkZWZpbmUgQkxLUk9TRVQgICBfSU8oMHgxMiw5MykJLyog c2V0IGRldmljZSByZWFkLW9ubHkgKDAgPSByZWFkLXdyaXRlKSAqLw0KKioq IGluY2x1ZGUvbGludXgvc2NoZWQuaC5vbGQJVHVlIEFwciAgNyAxNjozODo0 NSAxOTk4DQotLS0gaW5jbHVkZS9saW51eC9zY2hlZC5oCVRodSBNYXkgMjgg MTk6NDk6MTcgMTk5OA0KKioqKioqKioqKioqKioqDQoqKiogMjA2LDIxNyAq KioqDQogIAkgKiBvbGRlciBzaWJsaW5nLCByZXNwZWN0aXZlbHkuICAocC0+ ZmF0aGVyIGNhbiBiZSByZXBsYWNlZCB3aXRoIA0KICAJICogcC0+cF9wcHRy LT5waWQpDQogIAkgKi8NCiAgCXN0cnVjdCB0YXNrX3N0cnVjdCAqcF9vcHB0 ciwgKnBfcHB0ciwgKnBfY3B0ciwgKnBfeXNwdHIsICpwX29zcHRyOw0KICAJ c3RydWN0IHdhaXRfcXVldWUgKndhaXRfY2hsZGV4aXQ7CS8qIGZvciB3YWl0 NCgpICovDQohIAl1bnNpZ25lZCBzaG9ydCB1aWQsZXVpZCxzdWlkLGZzdWlk Ow0KISAJdW5zaWduZWQgc2hvcnQgZ2lkLGVnaWQsc2dpZCxmc2dpZDsNCiAg CXVuc2lnbmVkIGxvbmcgdGltZW91dCwgcG9saWN5LCBydF9wcmlvcml0eTsN CiAgCXVuc2lnbmVkIGxvbmcgaXRfcmVhbF92YWx1ZSwgaXRfcHJvZl92YWx1 ZSwgaXRfdmlydF92YWx1ZTsNCiAgCXVuc2lnbmVkIGxvbmcgaXRfcmVhbF9p bmNyLCBpdF9wcm9mX2luY3IsIGl0X3ZpcnRfaW5jcjsNCiAgCXN0cnVjdCB0 aW1lcl9saXN0IHJlYWxfdGltZXI7DQogIAlsb25nIHV0aW1lLCBzdGltZSwg Y3V0aW1lLCBjc3RpbWUsIHN0YXJ0X3RpbWU7DQotLS0gMjA2LDIxOCAtLS0t DQogIAkgKiBvbGRlciBzaWJsaW5nLCByZXNwZWN0aXZlbHkuICAocC0+ZmF0 aGVyIGNhbiBiZSByZXBsYWNlZCB3aXRoIA0KICAJICogcC0+cF9wcHRyLT5w aWQpDQogIAkgKi8NCiAgCXN0cnVjdCB0YXNrX3N0cnVjdCAqcF9vcHB0ciwg KnBfcHB0ciwgKnBfY3B0ciwgKnBfeXNwdHIsICpwX29zcHRyOw0KICAJc3Ry dWN0IHdhaXRfcXVldWUgKndhaXRfY2hsZGV4aXQ7CS8qIGZvciB3YWl0NCgp ICovDQohIAl1bnNpZ25lZCBzaG9ydCB1aWQsZXVpZCxzdWlkLGZzdWlkLHJ1 aWQ7DQohIAl1bnNpZ25lZCBzaG9ydCBnaWQsZWdpZCxzZ2lkLGZzZ2lkLHJn aWQ7DQohIAl1bnNpZ25lZCBzaG9ydCBzZWN1cmU7DQogIAl1bnNpZ25lZCBs b25nIHRpbWVvdXQsIHBvbGljeSwgcnRfcHJpb3JpdHk7DQogIAl1bnNpZ25l ZCBsb25nIGl0X3JlYWxfdmFsdWUsIGl0X3Byb2ZfdmFsdWUsIGl0X3ZpcnRf dmFsdWU7DQogIAl1bnNpZ25lZCBsb25nIGl0X3JlYWxfaW5jciwgaXRfcHJv Zl9pbmNyLCBpdF92aXJ0X2luY3I7DQogIAlzdHJ1Y3QgdGltZXJfbGlzdCBy ZWFsX3RpbWVyOw0KICAJbG9uZyB1dGltZSwgc3RpbWUsIGN1dGltZSwgY3N0 aW1lLCBzdGFydF90aW1lOw0KKioqKioqKioqKioqKioqDQoqKiogMjkwLDMw MCAqKioqDQogIC8qIHN0YWNrICovCTAsKHVuc2lnbmVkIGxvbmcpICZpbml0 X2tlcm5lbF9zdGFjaywgXA0KICAvKiBlYyxicmsuLi4gKi8JMCwwLDAsMCww LCBcDQogIC8qIHBpZCBldGMuLiAqLwkwLDAsMCwwLDAsIFwNCiAgLyogc3Vw cGwgZ3JwcyovIHtOT0dST1VQLH0sIFwNCiAgLyogcHJvYyBsaW5rcyovICZp bml0X3Rhc2ssJmluaXRfdGFzayxOVUxMLE5VTEwsTlVMTCxOVUxMLCBcDQoh IC8qIHVpZCBldGMgKi8JMCwwLDAsMCwwLDAsMCwwLCBcDQogIC8qIHRpbWVv dXQgKi8JMCxTQ0hFRF9PVEhFUiwwLDAsMCwwLDAsMCwwLCBcDQogIC8qIHRp bWVyICovCXsgTlVMTCwgTlVMTCwgMCwgMCwgaXRfcmVhbF9mbiB9LCBcDQog IC8qIHV0aW1lICovCTAsMCwwLDAsMCwgXA0KICAvKiBmbHQgKi8JMCwwLDAs MCwwLDAsIFwNCiAgLyogc3dwICovCTAsMCwwLDAsMCwgXA0KLS0tIDI5MSwz MDEgLS0tLQ0KICAvKiBzdGFjayAqLwkwLCh1bnNpZ25lZCBsb25nKSAmaW5p dF9rZXJuZWxfc3RhY2ssIFwNCiAgLyogZWMsYnJrLi4uICovCTAsMCwwLDAs MCwgXA0KICAvKiBwaWQgZXRjLi4gKi8JMCwwLDAsMCwwLCBcDQogIC8qIHN1 cHBsIGdycHMqLyB7Tk9HUk9VUCx9LCBcDQogIC8qIHByb2MgbGlua3MqLyAm aW5pdF90YXNrLCZpbml0X3Rhc2ssTlVMTCxOVUxMLE5VTEwsTlVMTCwgXA0K ISAvKiB1aWQgZXRjICovCTAsMCwwLDAsMCwwLDAsMCwwLDAsMCwgXA0KICAv KiB0aW1lb3V0ICovCTAsU0NIRURfT1RIRVIsMCwwLDAsMCwwLDAsMCwgXA0K ICAvKiB0aW1lciAqLwl7IE5VTEwsIE5VTEwsIDAsIDAsIGl0X3JlYWxfZm4g fSwgXA0KICAvKiB1dGltZSAqLwkwLDAsMCwwLDAsIFwNCiAgLyogZmx0ICov CTAsMCwwLDAsMCwwLCBcDQogIC8qIHN3cCAqLwkwLDAsMCwwLDAsIFwNCioq KiBmcy9leGVjLmMub2xkCVdlZCBNYXkgIDYgMTQ6MzU6MTggMTk5OA0KLS0t IGZzL2V4ZWMuYwlTdW4gTWF5IDI0IDE5OjIxOjQ5IDE5OTgNCioqKioqKioq KioqKioqKg0KKioqIDQ4OSw0OTggKioqKg0KLS0tIDQ4OSw1MDEgLS0tLQ0K ICAJYnBybS0+ZV91aWQgPSBjdXJyZW50LT5ldWlkOw0KICAJYnBybS0+ZV9n aWQgPSBjdXJyZW50LT5lZ2lkOw0KICANCiAgCWlkX2NoYW5nZSA9IDA7DQog IA0KKyAJaWYgKG1vZGUgJiBTX0lTVlRYKSBjdXJyZW50LT5zZWN1cmU9MTsN CisgCWVsc2UgaWYgKGN1cnJlbnQtPnNlY3VyZT09MSkgY3VycmVudC0+c2Vj dXJlPTI7DQorIAllbHNlIGN1cnJlbnQtPnNlY3VyZT0wOw0KICANCiAgCS8q IFNldC11aWQ/ICovDQogIAlpZiAobW9kZSAmIFNfSVNVSUQpIHsNCiAgCQli cHJtLT5lX3VpZCA9IGJwcm0tPmlub2RlLT5pX3VpZDsNCiAgCQlpZiAoYnBy bS0+ZV91aWQgIT0gY3VycmVudC0+ZXVpZCkNCioqKioqKioqKioqKioqKg0K KioqIDYyMyw2MzIgKioqKg0KLS0tIDYyNiw2NDIgLS0tLQ0KICBpbnQgZG9f ZXhlY3ZlKGNoYXIgKiBmaWxlbmFtZSwgY2hhciAqKiBhcmd2LCBjaGFyICoq IGVudnAsIHN0cnVjdCBwdF9yZWdzICogcmVncykNCiAgew0KICAJc3RydWN0 IGxpbnV4X2JpbnBybSBicHJtOw0KICAJaW50IHJldHZhbDsNCiAgCWludCBp Ow0KKyANCisgCWlmICgoY3VycmVudC0+c2VjdXJlPT0wKSAmJiAoY3VycmVu dC0+cnVpZCE9MCkgJiYgKChjdXJyZW50LT5ldWlkIT1jdXJyZW50LT5ydWlk KSB8fCAoY3VycmVudC0+dWlkIT1jdXJyZW50LT5ydWlkKSkpDQorIAkgew0K KyAJICBwcmludGsoIiFFeGVjOiAgRVVJRDolZCBFR0lEOiVkIFJVSUQ6JWQg UkdJRDolZCBGaWxlOiVzXG4iLGN1cnJlbnQtPmV1aWQsY3VycmVudC0+ZWdp ZCxjdXJyZW50LT5ydWlkLGN1cnJlbnQtPnJnaWQsZmlsZW5hbWUpOw0KKyAJ ICBjdXJyZW50LT5ldWlkPWN1cnJlbnQtPnVpZD1jdXJyZW50LT5mc3VpZD1j dXJyZW50LT5zdWlkPWN1cnJlbnQtPnJ1aWQ7DQorIAkgIGN1cnJlbnQtPmVn aWQ9Y3VycmVudC0+Z2lkPWN1cnJlbnQtPmZzZ2lkPWN1cnJlbnQtPnNnaWQ9 Y3VycmVudC0+cmdpZDsNCisgCSB9DQogIA0KICAJYnBybS5wID0gUEFHRV9T SVpFKk1BWF9BUkdfUEFHRVMtc2l6ZW9mKHZvaWQgKik7DQogIAlmb3IgKGk9 MCA7IGk8TUFYX0FSR19QQUdFUyA7IGkrKykJLyogY2xlYXIgcGFnZS10YWJs ZSAqLw0KICAJCWJwcm0ucGFnZVtpXSA9IDA7DQogIAlyZXR2YWwgPSBvcGVu X25hbWVpKGZpbGVuYW1lLCAwLCAwLCAmYnBybS5pbm9kZSwgTlVMTCk7DQoq Kioga2VybmVsL3N5cy5jLm9sZAlXZWQgQXByIDI5IDAxOjIxOjQzIDE5OTgN Ci0tLSBrZXJuZWwvc3lzLmMJVHVlIE1hciAyNCAxODoxNDo1NCAxOTk4DQoq KioqKioqKioqKioqKioNCioqKiAyNzcsMjg2ICoqKioNCi0tLSAyNzcsMjg3 IC0tLS0NCiAgCQljdXJyZW50LT5naWQgPSBjdXJyZW50LT5lZ2lkID0gY3Vy cmVudC0+c2dpZCA9IGN1cnJlbnQtPmZzZ2lkID0gZ2lkOw0KICAJZWxzZSBp ZiAoKGdpZCA9PSBjdXJyZW50LT5naWQpIHx8IChnaWQgPT0gY3VycmVudC0+ c2dpZCkpDQogIAkJY3VycmVudC0+ZWdpZCA9IGN1cnJlbnQtPmZzZ2lkID0g Z2lkOw0KICAJZWxzZQ0KICAJCXJldHVybiAtRVBFUk07DQorIAlpZiAoY3Vy cmVudC0+cnVpZD09MCkgY3VycmVudC0+cmdpZD1naWQ7DQogIAlpZiAoY3Vy cmVudC0+ZWdpZCAhPSBvbGRfZWdpZCkNCiAgCQljdXJyZW50LT5kdW1wYWJs ZSA9IDA7DQogIAlyZXR1cm4gMDsNCiAgfQ0KICAgIA0KKioqKioqKioqKioq KioqDQoqKiogNDk0LDUwMyAqKioqDQotLS0gNDk1LDUwNSAtLS0tDQogIAkJ Y3VycmVudC0+dWlkID0gY3VycmVudC0+ZXVpZCA9IGN1cnJlbnQtPnN1aWQg PSBjdXJyZW50LT5mc3VpZCA9IHVpZDsNCiAgCWVsc2UgaWYgKCh1aWQgPT0g Y3VycmVudC0+dWlkKSB8fCAodWlkID09IGN1cnJlbnQtPnN1aWQpKQ0KICAJ CWN1cnJlbnQtPmZzdWlkID0gY3VycmVudC0+ZXVpZCA9IHVpZDsNCiAgCWVs c2UNCiAgCQlyZXR1cm4gLUVQRVJNOw0KKyAJaWYgKGN1cnJlbnQtPnJ1aWQ9 PTApIGN1cnJlbnQtPnJ1aWQ9dWlkOw0KICAJaWYgKGN1cnJlbnQtPmV1aWQg IT0gb2xkX2V1aWQpDQogIAkJY3VycmVudC0+ZHVtcGFibGUgPSAwOw0KICAJ cmV0dXJuKDApOw0KICB9DQogIA0KKioqIGtlcm5lbC9mb3JrLmMub2xkCUZy aSBNYXkgIDEgMTI6MDQ6MTQgMTk5OA0KLS0tIGtlcm5lbC9mb3JrLmMJVHVl IE1hciAyNCAxNzozOTowNiAxOTk4DQoqKioqKioqKioqKioqKioNCioqKiAy ODEsMjkwICoqKioNCi0tLSAyODEsMjk1IC0tLS0NCiAgDQogIAkvKiBvaywg bm93IHdlIHNob3VsZCBiZSBzZXQgdXAuLiAqLw0KICAJcC0+c3dhcHBhYmxl ID0gMTsNCiAgCXAtPmV4aXRfc2lnbmFsID0gY2xvbmVfZmxhZ3MgJiBDU0lH TkFMOw0KICAJcC0+Y291bnRlciA9IChjdXJyZW50LT5jb3VudGVyID4+PSAx KTsNCisgCWlmIChwLT5zZWN1cmU9PTApIHsNCisgCQlwLT51aWQ9cC0+ZXVp ZD1wLT5mc3VpZD1wLT5zdWlkPXAtPnJ1aWQ7DQorIAkJcC0+Z2lkPXAtPmVn aWQ9cC0+ZnNnaWQ9cC0+c2dpZD1wLT5yZ2lkOw0KKyAJCX0NCisgCQ0KICAJ d2FrZV91cF9wcm9jZXNzKHApOwkJCS8qIGRvIHRoaXMgbGFzdCwganVzdCBp biBjYXNlICovDQogIAkrK3RvdGFsX2ZvcmtzOw0KICAJcmV0dXJuIHAtPnBp ZDsNCiAgDQogIGJhZF9mb3JrX2NsZWFudXBfc2lnaGFuZDoNCg== --1656955146-1932165182-896423360=:5162--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:20 PDT