Very Computer

I am currently trying to learn about buffer overflows/stack smashing.

I wrote a small c prog that could be easily overflowed, made it setuid
root, and then wrote an exploit for it. (with the aid of a tutorial).

Now I'm no expert programmer, but for me to gain root as easily as I
did, surprised me no end.  In fact it really stood me up straight!

I think it would be prudent for all sysadmins to seriously review any
and all suid programs they may have review them for safety.

Comments?

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

<nod>.

Quote:> I think it would be prudent for all sysadmins to seriously review any and
> all suid programs they may have review them for safety.

> Comments?

There's probably a reason why Part N+1 of setting up a hopefully-secure
box is automating a task that finds all set[ug]id files and mails you a
list every night....!

(And has been since I wore nappies reading O'Reilly _Essential System
Administration_, if not before then.)

~Tim
--

And you watch the ripples flow                  |http://piglet.is.dreaming.org

Shocking ain't it Luke...  :-)
-m-

-------------------------------------
#!/bin/sh
#
# Lists SGID & SUID files
# and emails to postmaster.
#
# The "find command cat" line gets wraped in email.
#
(


 echo "Subject: Daily SGID & SUID audit report"
 echo

 PATH=/sbin:/usr/sbin:/bin:/usr/bin:
 export PATH
echo "List of SGID files on the system include:"
echo
 find / -type f \( -perm -04000 -o -perm -02000 \) \
-exec ls -lg {} \;| cat

 ) 2>&1 | /usr/lib/sendmail -t
exit 0

----------------------------------------------

#!/bin/sh
#
# Lists SGID files
# and emails to postmaster.
#
(


 echo "Subject: Daily SGID audit report"
 echo

 PATH=/sbin:/usr/sbin:/bin:/usr/bin:
 export PATH
echo "List of SGID files on the system include:"
echo
 find / -type f \( -perm -02000 \) \-exec ls -lg {} \;| cat

 ) 2>&1 | /usr/lib/sendmail -t
exit 0

---------------------------------------------

#!/bin/sh
#
# Lists SUID files
# and emails to postmaster.
#
(


 echo "Subject: Daily SGID audit report"
 echo

 PATH=/sbin:/usr/sbin:/bin:/usr/bin:
 export PATH
echo "List of SGID files on the system include:"
echo
 find / -type f \( -perm -04000 \) \-exec ls -lg {} \;| cat

 ) 2>&1 | /usr/lib/sendmail -t
exit 0

-------------------------------

--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
ID # 123538
Completed more W/U's than 98.987% of seti users. +/- 0.01%

-------------------------------------
#!/bin/sh
#
# Lists SGID & SUID files
# and emails to postmaster.
#
# The "find command cat" line gets wraped in email.
# you can remove the \ on the find line and move the
# cat line back to the end of the find line
#
(


 echo "Subject: Daily SGID & SUID audit report"
 echo

 PATH=/sbin:/usr/sbin:/bin:/usr/bin:
 export PATH
echo "List of SGID & SUID files on the system include:"
echo
 find / -type f \( -perm -04000 -o -perm -02000 \) \
\-exec ls -lg {} \;| cat

 ) 2>&1 | /usr/lib/sendmail -t
exit 0

----------------------------------------------

#!/bin/sh
#
# Lists SGID files
# and emails to postmaster.
#
(


 echo "Subject: Daily SGID audit report"
 echo

 PATH=/sbin:/usr/sbin:/bin:/usr/bin:
 export PATH
echo "List of SGID files on the system include:"
echo
 find / -type f \( -perm -02000 \) \-exec ls -lg {} \;| cat

 ) 2>&1 | /usr/lib/sendmail -t
exit 0

---------------------------------------------

#!/bin/sh
#
# Lists SUID files
# and emails to postmaster.
#
(


 echo "Subject: Daily SGID audit report"
 echo

 PATH=/sbin:/usr/sbin:/bin:/usr/bin:
 export PATH
echo "List of SGID files on the system include:"
echo
 find / -type f \( -perm -04000 \) \-exec ls -lg {} \;| cat

 ) 2>&1 | /usr/lib/sendmail -t
exit 0

-------------------------------

--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
ID # 123538
Completed more W/U's than 98.987% of seti users. +/- 0.01%

Scripts will also work with qmail without any changes.

--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
ID # 123538
Completed more W/U's than 98.987% of seti users. +/- 0.01%

Tripwire also Kwang comes with tcpwrappers.  Tim will show you how to do
it with find, I expect.

-m-
--
The most secure OS will be the one you know best and know how to secure
the best.  A very large amount of security depends on the configuration
and knowing what needs to be changes is not always easy.
        Alan Coopersmith

[snip]

Quote:> > Got a handy script you can share for this?

> Tripwire also Kwang comes with tcpwrappers. Tim will show you how to do
> it with find, I expect.

Well, I thought the other chap had done a reasonable job of it, but if
you're desperate...  I'd start from:
        find / -perm +ug+s -ls | mail -s 'setuid files' root
and work up ;8)

~Tim
--

West winds blow.                                |http://piglet.is.dreaming.org

minor error-------------^^^^

Quote:>  echo

>  PATH=/sbin:/usr/sbin:/bin:/usr/bin:
>  export PATH
> echo "List of SGID files on the system include:"

minor error-----^^^^

Quote:> echo
>  find / -type f \( -perm -04000 \) \-exec ls -lg {} \;| cat

>  ) 2>&1 | /usr/lib/sendmail -t
> exit 0

sorry to be pedantic :)

--
Regards
Luke
PLEASE NOTE: Spamgard (tm) installed.
----
"Normal people ... believe that if it ain't broke, don't fix it.
Engineers believe that if it ain't broke, it doesn't have enough
features ... yet." -- Scott Adams
----
http://www.bell-bird.com.au

----

See there, ;).
--
You can fool some of the people all of the time and you can fool all of
the people some of the time but you can not fool all of the people all
of the time.   A. Lincoln

I did this all the time until I found sxid; does anyone know of any
problems with sxid?

--
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Cliff Sharp   |  Hate spam? Take the Boulder Pledge!                      |
|      WA9PDM     | http://www.zdnet.com/yil/content/mag/9612/ebert9612.html  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+