The Dangers of SetUID

posted onOctober 9, 2002

by hitbsecnews

By: Zaxil

I assume while writing this that the reader understands basic *nix commands.
If your not sure
what SetUID is feel, free to run "man setuid". That explains it all and
saves this fine magazine
some room. Now with this said lets start with saying that setting UID's is
usually a bad idea. If
someone who has a clue is trying to root your machine and they run into
something that they have
access to, and has its UID set higher than theirs. Its a safe bet that
they'll play with it a bit. Why
would someone play with this? What do they hope to gain from this? Well
those questions are
easy enough.

The attacker is most commonly trying to make these do one of
two things, Drop
him into a shell belonging to that UID or to have the program execute
commands at that UID. Let
give an example. Lets say for some reason we have a mail account that has
access to everything
dealing with mail and emails on your server. Someone writes a nice script to
make your life easier
but it uses setuid to run all commands with the UID of the mail account.
Well later someone
notices this and exploits it to do one of the two things stated above. Oh
look, he know has control
of all of our mail. A quick example that I could drag on but I'm just trying
to give you all more of
an idea of how this can be bad. Now onto some ways that these things are
exploited. I was
playing a wargame the other day and all these examples are from that.

Simple
examples once
again so don't think its always this easy in fact most of them shouldn't be
this easy. Usually you
try to alter the programs environment in an unexpected way. Now lets say
someone has a script of
course setuid on. They decided to use more in this script to display text.
Anyone know the
problem to this offhand? Well if we issue a "man more" and look over the
page we notice if we
push ! we get dumped into a little shell. Thanks more, now everyone gets to
run commands with
the UID of our little script. Another example, someone has a program that
for some reason runs
the file command at one point in it and waits for us to input the directory,
which from there it
would do other things to this directory.

Well after thinking about this for
a good second we
decide to try to enter " ;command" Why? Well remember what the ; does. So
after it runs the file
command the shell notices the semicolon and runs the command behind it for
us. Now I'm going
to give one more example. Lets say there's a program that when ran just
displays something to
the screen and exits so it doesn't even give us a chance to input anything.
Lets say this file doesn't
use the absolute path it decides to use the relative. It uses cat ./happy
well we want to see if it
does so we move it or something to that extent so we can run it to another
directory.

Then we
just recreate happy in this new directory or we can have it as a link
pointing to something else.
Then we get to view this thanks to this script. As to why you would want to
view a file, there's all
kinds of reasons but I think everyone can figure it out on their own. These
are very trivial to give
you all an idea. If anyone wants to know more about setuid send me an email
or check out the
link at the bottom of this. If enough people are still curious or if I have
time I'll write and
advanced article on this.

1.) MAC Address & ARP Functionality - Resolution
2.) SOTHA #8 - madsaxon
3.) Spyware: The Evolution - JesterS
4.) Demystifying Remote Host - Abhisek Datta
5.) Wireless Security & Hacking - Dr. T
6.) When Code Goes Wrong - DangerDuo
7.) Phone lines, wardialing, laptops & the like - zaxil
8.) The Dangers of SetUID - zaxil
9.) Introduction to Buffer Overflows - Ghost_Rider