There is something I don’t understand about the latest vulnerabilities annoncement.
Let’s take the example of ftp client. I login under my account, use ftp to connect to a server, then run the quote stuff, and my ftp client sigsegv.
The part I don’t understand is how come I end up getting bin privilieges. How does this happen? If I could get bin privilege just because a program sigsegv then the vulnerability should apply to any program not just ftp ?
Generally the trick is to find a way to cause a buffer overflow (like the situation you list). Once you can do that, you want to make sure you place the right data in the buffer so that when you overwrite the stack frame, you replace the return address with the address of your routine. Then your routine just has to spawn a shell and you have bin access.
The point is that any program which is setuid / setgid needs to be especially careful to not have any buffer overflows, as they can be exploited.
Rick…
Ok I see that assumes the vulnerabilities has something to do with the stack though. Is that always the case when a vulnerabiity is announced (not only related to QNX)
It is certainly one class of vulnerability. Write permission on directories containing setuid executables is another. Being able to override shared objects (through manipulating the search path) is another. I am sure there are more - that is off the top of my head.
Rick…
We should remove the excution permission of stack memory, at least stacks allocated by system.
(Thought 6.3 already did this, but not sure).
I though x86 couldnt do that. Isnt what the NX bit in AMD64 and IA-64 for…
I guess it will be optional on all processors, the kernel or malloc() will need to set/reset the feature as desired. Obviously, that piece code vanishes on non-capable processors.