Re: system() call in suid programs

Valdis.Kletnieks@vt.edu
Fri, 14 Jun 1996 12:31:53 -0400

--===_-1_Fri_Jun_14_12:31:51_EDT_1996
Content-Type: text/plain; charset=us-ascii

On Fri, 14 Jun 1996 10:18:35, you said:
> I know that it is bad to use the system() system call in programs, especially
> ones that are suid root, and that it can be exploited fairly easily.  Could
> somebody post or send me details how exploits based on the system() call work?
> Detail would be good, as I am supposed to explain the security implications
> to my boss at our next meeting.

The basic problem with using system() is that it basically does the following:

   fork();
   exec("/bin/sh","-c","your argumetn string here");

The problem is that it is just TOO EASY to break this.  For instance, let's
say your program includes a system("/bin/date"):  Look secure? Sure - how
can you exploit /bin/date? ;)

Well.. How about this:

1) The attacker puts '.' in his path (usually not recommended for just this
reason, you dont wanna have this happen accidentally ;)

2) Attacker sets IFS=/

3) Attacker runs your program.. Program launches a shell.

4) The shell is handed the string "/bin/date".  It looks at IFS to decide how
to parse it into words.  Well.. we word-break on /.  So we have 2 words, "bin"
and "date".

5) The shell decides this means the user wanted to run a program 'bin' with
a parameter 'date'.

6) It waltzes down the PATH variable.. and in '.', we find a shell script
called 'bin' that has in it:

cp /bin/sh /tmp/.my_setuid_backdoor
chown root /tmp/.my_setuid_backdoor
chmod 6555 /tmp/.my_setuid_backdoor

So it runs it.  Now the attacker has a set-uid shell he can use to get root
any time he wants.

In addition, almost any of the OTHER known ways to attack set-uid shell scripts
(race conditions with symlinks, odd settings of the SHELL environment variable,
etc ad nauseum) will also work against calls to system().

The worst part is that coding the fork/exec *yourself* takes only 5-6 lines
more, and you can shut down almost all of these attacks.
--
                                Valdis Kletnieks
                                Computer Systems Engineer
                                Virginia Tech



--===_-1_Fri_Jun_14_12:31:51_EDT_1996
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.1

iQCVAwUBMcGT9tQBOOoptg9JAQFdugP9EaDd8GBTXbk9lWPLf4o+ZFavbaGWp5Kt
p7mKAvpBArOLf/rdusUZJfD/9Ex8tK31C0FD+8aDjgE9/7uqe/egSW9+aztLhM6E
rnQqkVK7PQGUYkUH1mH29dFnkHG3xCV4CXaqrNrto0dGNvK0T7kOhsRSx3HrLgvQ
HB90LVfsBVo=
=bZoX
-----END PGP MESSAGE-----

--===_-1_Fri_Jun_14_12:31:51_EDT_1996--