Re: First Patch :)

From: Aleph One (aleph1at_private)
Date: Fri May 29 1998 - 11:49:15 PDT

Next message: Frank Darden: "Re: FileMaker Door"

Previous message: Richard Braakman: "Re: ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Maybe in reply to: Peter 'Goober' Kosinar: "First Patch :)"
Next in thread: Chris Evans: "Re: First patch :)"
Next in thread: Aleph One: "Re: First Patch :)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Interesting patch. To clear things up this patch does two things:

1) It stops processes from being able to exec() other programs with
an uid different from that of the original user unless the process
has been marked as secure.

2) It stops processes from being able to fork() with an uid different from
that of the original user unless the process has been marked as secure.

In both cases the process is allowed to continue with the exec() and fork()
but the uid and euid are forced to the original users uid. A file is
marked as secure by flipping a bit on its inode.

This minimizes the actions an attacker can do if they compromise a
setuid program that is not marked as secure. They will not be able to
fork() or exec() while maintaining their privilege. This also greatly
resticts the program itself. I wonder how many suid programs don't fork()
or exec() while maintaining privilege for some reason. If the are many it
defeats the purpose of the patch as you will have to mark them all as
'secure'.

But for a quick glance the patch seems to break 'su'. For example, joe
want to su to tom from his shell. His uid is 10, and tom's 20.

Process         RUID    UID     EUID    Secure

sh              10      10      10      0

The shell forks and execs su. All his uid's match so there is no problem.
su is market a 'secure'.

su              10      10      0       1

Now su changes uid's to tom's. Notice that in the code the RUID
is only ever changed if it already 0, so it doesn't change.

su              10      20      20      1

Now su exec's sh. su is a 'secure' process so it's ok to exec with
different a different uid and euid than ruid. The secure flag is  set to 2
to indicate a child of a secure program.

sh              10      20      20      2

Now what happens if we try to run 'ls'? Well the sh forks first.
But wait. Our uid and euid are different from the ruid and fork won't
allow that. So ls ends up running under our old uid!

ls              10      10      10      0

You need to work a bit more on the semantics. The RUID must be reset
at some point if you want to be able to 'su' from accounts other than root..


Aleph One / aleph1at_private
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Next message: Frank Darden: "Re: FileMaker Door"
Previous message: Richard Braakman: "Re: ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Maybe in reply to: Peter 'Goober' Kosinar: "First Patch :)"
Next in thread: Chris Evans: "Re: First patch :)"
Next in thread: Aleph One: "Re: First Patch :)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:28 PDT