| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20051009152651.GA3408@jschipper.dynalias.net> Date: Sun Oct 9 16:27:00 2005 From: j.schipper at math.uu.nl (Joachim Schipper) Subject: Local suid files and buffer overflows On Sun, Oct 09, 2005 at 01:17:39AM +0200, Werner Schalk wrote: > Hi, > > first of all apologies for asking such a newbie question but I am trying > to learn how to exploit buffer overflows and therefore wrote a little > program to exploit. This little program has the following permissions: > > $ ls -la test1 > -rwsr-sr-x 1 root root 17164 Oct 8 01:25 test1 > > Now I exploited it using Aleph One's shellcode (see > http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID > shell afterwards (I know the exploit did work but I still have my normal > user privleges). Why? I have tried a different shellcode to write a file > and this file was root:root. Any ideas, hints, rtfm? > > Thank you. > > Best regards, > Werner. Try the following: # mount <snippity> /dev/hdb2 on /home type ext3 (rw,nosuid,nodev) <snippity> nosuid means that suid binaries lose their special properties here. See mount(8). As you just proved, it's not completely useless. As an additional exercise, bypass the nosuid mount option. Or just copy it somewhere without nosuid. (There are many, many other ways this behaviour could have happened, but this one sounds most likely...) Joachim
Powered by blists - more mailing lists