This program will check to see if a given system has the profil(2) bug described in NetBSD Security Advisory 1999-011. If it prints `Counting!' then you've got it... At least one system (Solaris) appears to fix the security issue but doesn't turn off profiling unless the new image is owned by a different user. To check for this, you need to do something like: % cc profiltest.c % su # mv a.out prog.setuid # chown (something) prog.setuid # (possibly make it setuid) # exit % ./a.out If the program doesn't find prog.setuid, it just exec's itself; this gets the same result on most systems. (So: % cc profiltest.c; ./a.out) So far, I've only found it in BSD systems. Linux hasn't had profiling in the kernel for a while, so current versions should not be vulnerable. #include <sys/types.h> #include <stdio.h> #include <unistd.h> volatile unsigned short twobins[2]; int main(int ac, char **av) { if (ac == 1) { /* can't check the return value; on some systems it's void */ profil((char *)twobins, sizeof twobins, (u_long)&main, 2); /* try a different image for uid/setuid tests */ execl("prog.setuid", "tryroot", "-", 0); /* otherwise, just chain to ourself */ execl(av[0], av[0], "-", 0); fprintf(stderr, "problems\n"); exit(1); } for(;;) { if (twobins[0] | twobins[1]) { printf("Counting!\n"); twobins[0] = twobins[1] = 0; } } } /* ross.harveyat_private */
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:42 PDT