Re: question on escalating privileges via suid vulnerabilities

To:	"Michal Zalewski" <lcamtuf@dione.ids.pl>
Subject:	Re: question on escalating privileges via suid vulnerabilities
From:	"John McGuire" <jmcguire81@gmail.com>
Date:	Sun, 25 Feb 2007 10:18:43 -0700
Cc:	pen-test@securityfocus.com
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mUI5aVgVdZ3R+OJf3V6wVR3TycKBkdsRddHxxYncdD9E0sySRbWm2tz3bvjYeT2OkqbuvUodEzPiQiOWqQW509g90KIzQJE0KBaX1BcsQlQwLjJq6NL0xIdnZ5YCFalDc6SokrDWmeWy+UbsM4zBFurcyP25DarAN5SmCzkp0vU=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LksN8FnxF4YGck4gTkZXTD2O1X6JVz5MT8LD8mYEVHHpHJ0nHZGiCBJ+OcrW4xmSyxxm8C3tyQ9h9CT8LmZO8WG4in61/edpLvlAcsBJbG5sm/CIYNb0NMtcKctcEelDL9+41E3qAbSB0TG1pQSyi2AfXARh5RMRYneg48MOuGw=
In-reply-to:	<Pine.LNX.4.58.0702251009320.21707@dione>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<7c488dd80702241052y225c158fn9b2c8372f10a6f3b@mail.gmail.com> <Pine.LNX.4.58.0702251009320.21707@dione>
Resent-date:	Mon, 26 Feb 2007 13:28:57 -0700 (MST)
Resent-from:	pen-test-return-1078483633@securityfocus.com
Resent-message-id:	<20070226202857.A398423738A@outgoing3.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

Thanks, adding setuid() cleared up the issue.

John

On 2/25/07, Michal Zalewski <lcamtuf@dione.ids.pl> wrote:

On Sat, 24 Feb 2007, John McGuire wrote:

>        arr[1] = NULL;
         setuid(0);
>        execve (arr[0], arr, NULL);

Just add this line there. You are in all likelihood bumping into a
"protection"  built into /bin/sh to make attacks marginally more
difficult.

/mz


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
question on escalating privileges via suid vulnerabilities, John McGuire Message not available Re: question on escalating privileges via suid vulnerabilities, John McGuire <= Re: question on escalating privileges via suid vulnerabilities, Christoph Bussenius Re: question on escalating privileges via suid vulnerabilities, Marco Ivaldi Re: question on escalating privileges via suid vulnerabilities, Andrea Purificato - bunker Re: question on escalating privileges via suid vulnerabilities, Fábio Russo

Previous by Date:	RE: DNS mapping, Elias-Bachrach, Ari (721)
Next by Date:	RE: Penetration Testing Framework 0.24 released, Liam Downward
Previous by Thread:	question on escalating privileges via suid vulnerabilities, John McGuire
Next by Thread:	Re: question on escalating privileges via suid vulnerabilities, Christoph Bussenius
Indexes:	[Date] [Thread] [Top] [All Lists]