[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setgid-wrapper

In article <[🔎] 20040520055516.GA9277@misery.proulx.com>,
Bob Proulx <bob@proulx.com> wrote:
>However, setuid shell scripts are such a security hole that they
>should never exist.  Much of the time spent by the security scanners
>for unix scan for just such problems.

This is true. On most systems, it's trivial to exploit a suid
shell script. Often the shell reads ~/.bashrc or a similar file
at startup - put your exploit there and you're done. Or put it
in $BASH_ENV. Or, if the shell script doesn't reset the PATH,
just change the PATH to include a directory with your exploit
named after one of the commands that the shell calls. Then
there's the IFS exploit. etc etc etc.

For every 10 setuid shell scripts, 9 are exploitable. Maybe 10.


Reply to: