Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

A workaround might be to make all setuid/setgid files non-world-readable because then they cannot be opened at all, and thus there is no setuid file to replace the contents of.


Eh, if you can pollute page caches this won’t safe you.

Think modifying shared libraries, ld preload, cron, I guess on some systems /etc/passwd even.

There are a lot of files readable that should definitely not be writable.


Fair enough -- a simpler change might be to poison /etc/passwd and call `su` to a user that has uid 0, since that requires no shell code nor a readable binary, and this seems to have worked in a slightly modified POC:

  f=g.open("/etc/passwd",0);
  e="rkeene:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash\n".encode()
  ...
  g.system("/run/wrappers/bin/su - rkeene")


There is a PoC that does exactly that here: https://github.com/tgies/copy-fail-c




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: