Thursday, April 07, 2005

Lady, tell me the time.

This program is a SUID program (see my previous post).

int main()
{
System("date");
}

What does it do?
It basically executes command called "date".

Now, what is problem with it?

PS: Lady seems to be blonde

Thanks,
Sandeep

10 comments:

Matrix said...

One can write their own date program and place it in the path prior to the location where the standard date command would exist and thats it...

Alpha0 said...

Kewl.
So, what would you do about it?
call system in following way:

System("/usr/bin/date");

Now, find the problems associated with it.

Matrix said...

It executes in user's current shell. right? If so, the user still has some control over this.

What all can he do if it runs in his shell????

Should we be running this in an exclusive shell like

System("/bin/sh -c /usr/bin/date");

~matrix

Alpha0 said...
This comment has been removed by a blog administrator.
Alpha0 said...

What happens if I set IFS='/'???
[IFS is internal field separator. Shell uses it to split the param argumument list]

Your command will be interpreted as "bin as -c usr bin date".
And I can create a program called "bin" in my current directory and get it executed by Blonde.

Isn't it?

#Alpha0

rzo said...

Humm, this IFS trick yet work ?

I tested it in my Linux box 2.4 kernel WITHOUT success.

$ cat bin
#!/bin/sh

/bin/df -h

$ cat a.c

int main(){

system("/bin/ls");

return(0);
}

$ gcc -o x a.c

$ ./x
a.c bin x

$ echo $IFS

$ export IFS='/'

$ echo $IFS

$ ./x
a.c bin x

As we can see, it doesn't worked. It was unable to set a value to IFS. Some trick to make it work again ?

Alpha0 said...

Now a days, it seems that shells( especially bash) do dont allow changing the IFS.

rzo said...

Hummm, let's test...

$ /bin/csh

debian:/tmp> ./x
a.c bin x

debian:/tmp> set IFS='/'
debian:/tmp> set PATH=/tmp
debian:/tmp> echo $PATH
/tmp
debian:/tmp> echo $IFS
/

Let's execute the attack...

debian:/tmp> ./x
a.c bin x

The same result, if we look at ltrace we see that it doesn't used the field separetor.

system("/bin/ls"a.c bin x

Know some specific shell or trick to it work in nows day ?

Cya

Alpha0 said...

Not really.
I used to use this trick in old Digital Unix system.
I tried it with csh,ksh and bash. It doesnt seem to work.
Thanks Rzo for keeping me update.

--Alpha0

Raju Kumar said...


Thanks for sharing this valuable information to our vision. Data Scientist course in India