Date: 26 Aug 1996 04:42:52 -0500 From: Zach Heilig <zach@blizzard.gaffaneys.com> To: Gene Stark <gene@starkhome.cs.sunysb.edu> Cc: security@freebsd.org Subject: Re: Vulnerability in the Xt library (fwd) Message-ID: <87hgpqo50j.fsf@freebsd.gaffaneys.com> In-Reply-To: Gene Stark's message of Sun, 25 Aug 1996 23:30:42 -0400 (EDT) References: <4vqqpl$bn8@starkhome.cs.sunysb.edu> <199608260330.XAA12903@starkhome.cs.sunysb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Gene Stark <gene@starkhome.cs.sunysb.edu> writes:
> This is the worst one yet for me. A crazy idea occurred to me, what do
> other people think? Why not nip all this stuff in the bud by changing the
> semantics of exec() so that setuid privilege is turned off unless the
> program has previously executed a (new) system call that says "I really
> want setuid privileges to be passed to my children." Of course, this
> would be nonstandard, but it would have the nice property that since no
> existing program calls this system call (it doesn't exist yet) no further
> exploits of this type would be possible with existing software.
> Calls to this new system call could then be introduced carefully into
> existing software, right at the point where an exec that *has* to preserve
> setuid privilege is performed.
>
> I would hazard a guess (flame me if I'm wrong) that most setuid programs
> don't need to exec other stuff, so this type of change would not break
> as many things as you might think at first.
Well, all the attacker has to do is add a call to that system call
just before the code that exec()'s the shell. All this does is add an
extra step for the attacker to maybe stumble on. Besides, what would
the semantics be if all the userid's were 0, as in the case of some
daemons with this sort of vulnerability. I don't think this would
really solve the problem. What we need is a lint-like utility (better
than gcc) that can warn when it finds code like:
{
int buf[somesize];
strcpy(buf, argv[1]);
}
which is dangerous in all programs, it's just less dangerous than in
setuid ones.
--
Zach Heilig (zach@blizzard.gaffaneys.com) | ALL unsolicited commercial email
Support bacteria -- it's the | is unwelcome. I avoid dealing
only culture some people have! | with companies that email ads.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87hgpqo50j.fsf>