Home » forums » Tech Support » Programming » Bash running setuid ?
Submitted by MindSpark on Thu, 09/12/2004 - 03:27.
( categories: Programming )

I've been doing some researches on buffer overruns for my graduation project. Now the problem seems that all papers are quite old. The content concerning stack and execution environment still counts, but I've had trouble launching a bash or sh in setuid. Funny thing is, ksh works fine. Haven't tried anything else yet. But does anyone have any ideas concerning bash/sh ?

add new comment | previous forum topic | next forum topic
not allowed
Alaa's picture
Submitted by Alaa on Thu, 09/12/2004 - 12:27.

I think its not allowed for good reasons, but why would anyone want to run bash setuid??

the world is supposed to move to sudo for this kind of stuff BTW.

cheers,

Alaa

http://www.manalaa.net

"u know i once dream that the office of mobinil is from el 7`os :S and the one that answer u and tell u rasidak a girl called ghada"


reply
That's the thing !
Submitted by MindSpark on Thu, 09/12/2004 - 22:11.

Well , like I said, I am using it for security reasons. Now this would have been probably possible a few years ago. Does anyone know any workaround ? Or does anyone have any idea how modern exploits launch a rootshell ?

reply
proper process targeting
YoussefAssad's picture
Submitted by YoussefAssad on Sat, 11/12/2004 - 12:22.

I don't think it's a comon or very effective technique to target existing bash sessions and then change uid.

What you want to do, IIRC, is to look for processes running as root. When these are found, you look for a buffer vulnerability which will allow you to run arbitrary code, which will naturally be run as root since the parent process is root.

Substitute arbitrary process for bash and you've got your root shell.

-- Panem et *burp* circenses


reply
Exactly what I am saying
Submitted by شخص خجول مجهول on Sun, 12/12/2004 - 13:57.

That's exactly what I am saying, but the process substituted in the string doesn't want to run setuid ;)

reply
Read my comment again
YoussefAssad's picture
Submitted by YoussefAssad on Mon, 13/12/2004 - 11:51.

SLOWLY. :)

setuid is not a part of the game.

-- Panem et *burp* circenses


reply
Didn't explain myself
Submitted by MindSpark on Mon, 13/12/2004 - 16:15.

Yo, I probably just didn't quite explain myself in my message. The program I am trying to exploit is setuid. Now if the shell code points to executing bash,sh or tcsh it runs as the normal user (the one running the exploit, and not the vulnerable application which is setuid). Nevertheless, spawning a ksh works just fine. But what if the system doesn't have a ksh ?

reply

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.