Majordomo-Workers: Re: demonstration: setuid wrappers are insecure?

Majordomo-Workers
(August 2000)

Indexed By Thread: [Previous] [Next]

Subject:	Re: demonstration: setuid wrappers are insecure?
From:	Jason L Tibbitts III <tibbs @ math . uh . edu>
Date:	28 Aug 2000 22:14:29 -0500
To:	majordomo-workers @ GreatCircle . COM, mj2-dev @ csf . colorado . edu
In-reply-to:	SRE's message of "Mon, 28 Aug 2000 17:04:38 -0700"
References:	<Dave Hayes's message of "Mon, 28 Aug 2000 01:30:39 -0700"> <200008280830.BAA26974@hokkshideh.jetcafe.org> <4.3.1.0.20000828164001.00ce7c90@pop.climber.org>
User-agent:	Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7

>>>>> "S" == SRE  <eckert@climber.org> writes:

S> Note that mj_shell is now executing my shell script instead of running
S> an editor.

It runs this script as you.  So you don't get to do anything that you
couldn't do in the first place.

Look:

XYX:morpheus:~/mj/2.0> ls -l /tmp/a
-rwxrwxr-x   1 tibbs    tibbs          26 Aug 28 20:57 /tmp/a*

XYX:morpheus:~/mj/2.0> cat /tmp/a
#!/bin/sh
touch /tmp/file

XYX:morpheus:~/mj/2.0> rm /tmp/file

XYX:morpheus:~/mj/2.0> mj_shell -p XXX configedit test digests

File unchanged; not executing.

XYX:morpheus:~/mj/2.0> ls -l /tmp/file
-rw-r-----   1 tibbs    tibbs           0 Aug 28 20:59 /tmp/file

So I can create, change and delete files that I could already do those
things to in the first place.

Making use of EDITOR is very common in the UNIX world; I just copied
exactly what the crontab program does.  And look at crontab:

XYX:morpheus:~/mj/2.0> ls -l /usr/bin/crontab
-rwsr-xr-x   1 root     root        21816 Sep 10  1999 /usr/bin/crontab*

Ooh, setuid root.

XYX:morpheus:~/mj/2.0> rm /tmp/file

XYX:morpheus:~/mj/2.0> crontab -e
crontab: no changes made to crontab

XYX:morpheus:~/mj/2.0> ls -l /tmp/file
-rw-rw-r--   1 tibbs    tibbs           0 Aug 28 21:01 /tmp/file

S> OK, so I got Mj2 to replace a command with my own shell script by
S> passing the hard path to the shell script as an environment
S> variable.

That's the whole point of paying attention to EDITOR.  You're making it do
what it is supposed to be doing.  You can set EDITOR=/usr/bin/emacs or
/bin/vi or /path/to/my_shell_script_that_calls_vi_with_args or
/path/to/script_that_deletes_my_files, although if you did the latter then
it would be your own fault, not ours.

S> I'm not saying THIS example is dangerous, but given one example of an
S> environment variable that replaces the configedit command with a shell
S> script I wrote as an unprivileged user, isn't it POSSIBLE that there are
S> worse exploits out there waiting?

Anything is possible, but your example isn't useful in showing this one way
or the other.

S> I'm still not saying we need to change the wrappers, I'm just responding
S> to the request for a demonstration. I didn't exploit the linker, the
S> operating system, or the wrapper, I directly exploited our (Mj2) perl
S> code (Majordomo.pm).

But you haven't exploited anything.  (Unless you use exploit to mean "make
use of".)

S> If you were to toss the environment in the wrapper, this wouldn't be
S> possible.

Precisely.  And I and a bunch of other folks would be plenty pissed that we
can't set our editors.

 - J<

Follow-Ups:

Re: Mj2: Re: demonstration: setuid wrappers are insecure?
From: SRE <eckert@climber.org>

References:

demonstration: setuid wrappers are insecure?
From: SRE <eckert@climber.org>

Indexed By Date	Previous:	demonstration: setuid wrappers are insecure? From: SRE <eckert@climber.org>
Indexed By Date	Next:	Re: Mj2: Re: demonstration: setuid wrappers are insecure? From: SRE <eckert@climber.org>
Indexed By Thread	Previous:	demonstration: setuid wrappers are insecure? From: SRE <eckert@climber.org>
Indexed By Thread	Next:	Re: Mj2: Re: demonstration: setuid wrappers are insecure? From: SRE <eckert@climber.org>