Fwd: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCALROOT EXPLOIT

[Andreas Pour]

Adrian Schroeter wrote:
> 
> On Sun, 7 Jul 2002, Waldo Bastian wrote:
> > My first impression is that the affected code doesn't run with root privs at
> > all, the only thing that could be exploited are the real-time privs IMO (I
> > guess that allows for a local DOS)
> 
> Yes, root-permissions are dropped before the sig11 happened. It is not a
> security problem, George said the same on IRC yesterday.

Hi,

The problem is, the root permissions are not irrevocably dropped.  When
you use "seteuid(getuid())", the very same program can later
"seteuid(0)", and restore itself to the root effective uid.  So it's
just a matter of putting that call into your exploit code.  Try the
attached to see what I mean.

To lose the ability to "return" to the prior effective uid, use
setuid(), as the patch does.

Ciao,

Dre
-------------- next part --------------
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv)
{
        int uid;

  if (geteuid() == getuid()) 
  {
    printf("The program is not setuid root or you are running as root\nin either case the test won't work.\n");
    exit(0);
  }

  printf("Startup:\n\teuid = %d\n\tuid = %d\n\n", geteuid(), getuid());
  seteuid(uid = getuid());
  printf("After seteuid(%d):\n\teuid = %d\n\tuid = %d\n\n", uid, geteuid(),
         getuid());
  seteuid(0);
  printf("After seteuid(0):\n\teuid = %d\n\tuid = %d\n", geteuid(), getuid());
  return 0;
}