Friday, September 23, 2005
case in point #1
from time to time I'll throw up these "case in point" posts to talk a bit about holes that I've found in the current day. I'll leave the product names out, but it'll be an interesting read nonetheless.
so today I was doing a quick audit on an internal development box. it was once used for some extreme usage, but faded away into the network's obscure hidden world as soon as another solution jumped in the spotlight. in any case, the box was given to me to play with and try funky things.
before doing anything serious, I wanted to see how secure it was locally. it turns out there was a coorperate anti-virus product installed for scanning of incoming email. unfortunately it is coupled with some lame web interface that can be used by the administrator to do things from rebooting the box via web, or edit templates.
I noticed something odd though -- many of the scripts were executed via C-written and compiled suid wrappers. and their primary purpose is just to execute specific perl scripts. fine, we see (or saw) those kind of setups all the time -- it was no big deal. so I inspected the perl scripts to find they all shared a common line of code:
require "./filefullof.functions"
ERROR!
thus here lies a very serious security hole. the coorperate software in question bundles a bunch of unnessesary perl scripts. then, these scripts are bundled with suid wrappers to assist them during executions. and finally, the perl scripts themselves call functions from another script improperly -- calling from a file in the current directory and not from an absolute one.
mhm. that's bad. in fact, one softlink later and rogue "./filefullof.functions" created -- you've just taken over an inheritance of suid.
advisory+exploit coming soon to a terminal near you! ¶ 9/23/2005 01:09:00 AM
so today I was doing a quick audit on an internal development box. it was once used for some extreme usage, but faded away into the network's obscure hidden world as soon as another solution jumped in the spotlight. in any case, the box was given to me to play with and try funky things.
before doing anything serious, I wanted to see how secure it was locally. it turns out there was a coorperate anti-virus product installed for scanning of incoming email. unfortunately it is coupled with some lame web interface that can be used by the administrator to do things from rebooting the box via web, or edit templates.
I noticed something odd though -- many of the scripts were executed via C-written and compiled suid wrappers. and their primary purpose is just to execute specific perl scripts. fine, we see (or saw) those kind of setups all the time -- it was no big deal. so I inspected the perl scripts to find they all shared a common line of code:
require "./filefullof.functions"
ERROR!
thus here lies a very serious security hole. the coorperate software in question bundles a bunch of unnessesary perl scripts. then, these scripts are bundled with suid wrappers to assist them during executions. and finally, the perl scripts themselves call functions from another script improperly -- calling from a file in the current directory and not from an absolute one.
mhm. that's bad. in fact, one softlink later and rogue "./filefullof.functions" created -- you've just taken over an inheritance of suid.
advisory+exploit coming soon to a terminal near you! ¶ 9/23/2005 01:09:00 AM