Date: Sun, 26 Nov 1995 20:30:19 -0500 (EST) From: Charles Henrich <henrich@crh.cl.msu.edu> To: freebsd-hackers@freebsd.org Subject: Security bug? Message-ID: <199511270130.UAA01244@crh.cl.msu.edu>
next in thread | raw e-mail | index | archive | help
I am attempting to track down this bug, and Its driving me crazy. I have
modified the NCSA web server to change its uid to whomever is authenticating to
it. If the person authenticating is root, I force a change ownership to a
different uid via setuid() seteuid() setgid() and setegid() calls. The
problem, is after all the set[ug]* calls, I am still able to execute programs
that I shouldnt even be able to read!
The players:
>From /etc/group
adminweb:*:50:
admin:*:200:Rcrh
>From /etc/passwd
Rcrh:*:0:0:Charles Henrich (root):/root:/usr/local/bin/tcsh
adminweb:*:50:50:Admin Web:/usr/local/adminweb:/usr/local/bin/tcsh
The test code:
-rwxr-x--- 1 root admin 8808 Nov 26 20:00 test
The web fallback code looks like (this is executing all the way through,
user_id and group_id are both 50).
-------------------------------------------------------------------------------
log_error("Im still root, changing to user/group in cfg file\n");
if (setgid(group_id) == -1)
die(CONF_ERROR,"unable to change gid", stdout);
if (setegid(group_id) == -1)
die(CONF_ERROR,"unable to change egid", stdout);
if (setuid(user_id) == -1)
die(CONF_ERROR,"unable to change uid", stdout);
if (seteuid(user_id) == -1)
die(CONF_ERROR,"unable to change euid", stdout);
-------------------------------------------------------------------------------
The test program does nothing more than two printf() calls, one a web header,
the other the uid:euid gid:egid pairs. The results look like so:
-------------------------------------------------------------------------------
Content-type: text/html
50:50 50:50
-------------------------------------------------------------------------------
I also had placed some printf() calls before the execle() call in the web
server, and it too reported the current gid,egid,uid,euid were all set to 50.
Given this, how was the exec ablt to run the test code that is only executable
by root or folks in the admin group, which the adminweb ID clearly isnt? The
web server code is as follows:
>From http_include.c:
-------------------------------------------------------------------------------
int p[2],x;
FILE *f;
char errstr[MAX_STRING_LEN];
if(pipe(p) == -1)
die(SERVER_ERROR,"httpd: could not create IPC pipe",out);
if((ipid = fork()) == -1)
die(SERVER_ERROR,"httpd: could not fork new process",out);
if(!ipid) {
char *argv0;
------- [SNIP] ------- (Some environment setup code)
close(p[0]);
if(p[1] != STDOUT_FILENO) {
dup2(p[1],STDOUT_FILENO);
close(p[1]);
}
error_log2stderr();
if(!(argv0 = strrchr(SHELL_PATH,'/')))
argv0=SHELL_PATH;
---> At this point we are at 50:50 50:50
if(execle(SHELL_PATH,argv0,"-c",s,(char *)0,in_headers_env) == -1) {
fprintf(stderr,"httpd: exec of %s failed, errno is %d\n",
SHELL_PATH,errno);
exit(1);
}
}
close(p[1]);
if(!(f=fdopen(p[0],"r"))) {
waitpid(ipid,NULL,0);
return -1;
}
send_fd(f,out,kill_include_child);
fclose(f);
waitpid(ipid,NULL,0);
return 0;
}
-------------------------------------------------------------------------------
I should also note that the process starts off initially with the uid:euid
gid:egid combo of 0:0 50:0 (possibly 0:50, I cant recall at the moment).
In any case, if any of you have made it this far, any ideas?
-Crh
Charles Henrich Michigan State University henrich@crh.cl.msu.edu
http://rs560.msu.edu/~henrich/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511270130.UAA01244>