Re: sendmail exploit script - resend
Peter Wemm (peter@gecko.dialix.oz.au)
Mon, 28 Mar 1994 23:46:19 +0800 (WST)
Bonfield James writes:
:># this program will be executed when mail is sent to the fake alias.
:># since solaris sh and csh and tcsh refuse to run when euid != realuid,
:># we instead run the program we compiled above.
:
:Does anyone know quite what the logic behind these shell checks are? They're
:just a pain and a stumbling block that are trivial to work around. Is it only
:Sun derived things that do this?
:
: James
It's just a safety precaution, forcing the sysadmin to make a conscious
extra step, and an additional rearguard action.
SVR4 and solaris (among others) do the suid shell scripts securely.
For example, I made a suid shell script (setuid to a user, and run as
root so that I could trace it..)
root@gecko:[11:38pm]/var/tmp-105# l testsuid
-rwsr-sr-x 1 peter user 50 Mar 28 23:33 testsuid
root@gecko:[11:38pm]/var/tmp-106# cat testsuid
#! /sbin/sh -p
echo 0:$0 1:$1 2:$2 3:$3 4:$4
id
root@gecko:[11:38pm]/var/tmp-107# ./testsuid
0:/dev/fd/3 1: 2: 3: 4:
uid=0(root) gid=0(root) euid=433(peter) egid=304(user)
root@gecko:[11:38pm]/var/tmp-108# truss -a ./testsuid
execve("./testsuid", 0x08047C7C, 0x08047C84) argc = 3
*** SUID: ruid/euid/suid = 0 / 433 / 433 ***
*** SGID: rgid/egid/sgid = 0 / 304 / 304 ***
argv: /sbin/sh -p /dev/fd/3
open("/dev/zero", O_RDONLY, 01001076164) = 4
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE, 4, 0) = 0x80030000
getuid() = 0 [ 433 ]
getuid() = 0 [ 433 ]
close(4) = 0
sysi86(SI86FPHW, 0x8002DA2C, 0x8002D420, 0x08047C58) = 0x00000000
getpid() = 23655 [ 23654 ]
getpgid(23655) = 23654
getsid(23655) = 23369
brk(0x080583D8) = 0
sigaction(SIGHUP, 0x00000000, 0x08047BD4) = 0
sigaction(SIGHUP, 0x08047B70, 0x08047BB0) = 0
sigaction(SIGINT, 0x00000000, 0x08047BD4) = 0
[...]
sigaction(SIGXCPU, 0x08047B70, 0x08047BB0) = 0
sigaction(SIGXFSZ, 0x00000000, 0x08047BD4) = 0
sigaction(SIGXFSZ, 0x08047B70, 0x08047BB0) = 0
brk(0x080585D8) = 0
brk(0x080588D8) = 0
getuid() = 0 [ 433 ]
open("/dev/fd/3", O_RDONLY, 01001276470) = 4
close(19) Err#9 EBADF
fcntl(4, F_DUPFD, 0x00000013) = 19
close(4) = 0
fcntl(19, F_SETFD, 0x00000001) = 0
ioctl(2, TCGETA, 0x08047BD8) = 0
ioctl(19, TCGETA, 0x08047BD8) Err#25 ENOTTY
read(19, " # ! / s b i n / s h ".., 128) = 50
brk(0x08058CD8) = 0
0:/dev/fd/3 1: 2: 3: 4:
write(1, " 0 : / d e v / f d / 3 ".., 24) = 24
xstat(2, "/sbin/id", 0x08047AA0) Err#2 ENOENT
xstat(2, "/usr/sbin/id", 0x08047AA0) Err#2 ENOENT
xstat(2, "/usr/bin/id", 0x08047AA0) = 0
access("/usr/bin/id", 9) = 0
fork() = 23656
uid=0(root) gid=0(root) euid=433(peter) egid=304(user)
Received signal #18, SIGCLD [default]
siginfo: SIGCLD CLD_EXITED pid=23656 uid=1 status=0x0000
waitsys(0x00000000, 23656, 0x08047AD8, WEXITED|WTRAPPED|WUNTRACED|WNOWAIT) = 0
ioctl(0, TIOCGPGRP, 0x08047B20) = 0
ioctl(0, TCGETS, 0x080574D8) = 0
waitsys(0x00000000, 23656, 0x08047AC8, WEXITED|WTRAPPED|WUNTRACED) = 0
read(19, 0x08057D54, 128) = 0
ioctl(19, TCGETA, 0x08047BD4) Err#25 ENOTTY
close(19) = 0
_exit(0)
root@gecko:[11:38pm]/var/tmp-109#
As you can see, the interpreter is invoked with the already-open file
descriptor as an argument "/sbin/sh -p /dev/fd/3"
-Peter
--
Peter Wemm <peter@DIALix.oz.au> - NIC Handle: PW65 - The keeper of "NN"
"My computer is better than your computer" - Anonymous
(Overheard, shortly after the creation of the second computer....)