It is interesting to see that old problems with set-uid commands
keep coming back. Allow me to speed up the discussion a bit by
enumerating a few other channels for attack on set-uid commands.
A quick perusal of /usr/include/sys/proc.h reveals a large number
of "inputs" that a child process may inherit from a potentially
untrusted parent process.
The list includes, but is not limited to:
command-line array
environment array
open files
current directory
blocked/enabled signals
pending timers
resource limits
scheduling priority
All these sources of data can be, and have been, involved in attacks
on set-uid or set-gid commands (although I do not remember specific
details of pending timer attacks).
In addition to these "inheritance" attacks which are specific to
set-uid and set-gid commands, set-uid and set-gid commands can be
exposed to attacks via the /proc interface, and can be exposed to
ordinary data-driven attacks by feeding them nasty inputs.
Thus, set-uid and set-gid commands are exposed to a lot more attack
types than your average network service. The reason that network
attacks get more attention is simply that are more opportunities
to exploit them.
Wietse
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 12:07:49 PDT