Security Problems with SUID Scripts and Programs
There are many methods which have been used to gain root priviledges from a Unix SUID (Set User ID) script or program.
It is the task of the programmer of the SUID script or program to prevent the hacker from gaining root access.
Here are some methods which hackers utilize and which programmers should prevent:
- Changing IFS
If the program calls any other programs using the system() function call, the hacker may be able to fool it by changing IFS. IFS is the Internal Field Separator that the shell uses to delimit arguments.
If the program contains a line that looks like this:
and the hacker changes IFS to ‘/’ the shell will then interpret the proceeding line as:
Now, if the hacker has a program of his own in the path called “bin” the suid program will run his program instead of /bin/date.
To change IFS, use one of these commands:
Bourne Shell IFS=’/';export IFS C Shell setenv IFS ‘/’ Korn Shell export IFS=’/’
- Linking the SUID script to -i
The hacker will create a symbolic link to the program named “-i”. The hacker will then execute “-i”, which will cause the interpreter shell (/bin/sh) to start up in interactive mode. This only works on suid shell scripts.
% ln suid.sh -i% -i#
- Exploiting a race condition
The hacker will attempt to replace a symbolic link to the program with another program while the kernel is loading /bin/sh.
nice -19 suidprog ; ln -s evilprog suidroot
- Sending bad input to the program.
The hacker will try to invoke the name of the program and a separate command on the same command line.
suidprog ; id
Note that these problems also occur with SGID (Set Group ID) scripts and programs.