Wednesday, January 30, 2008

Fail!

While reading planet security
to get updated about what ubercool bugz the scene is producing I stumbled across the
fail blog. Definitely worth reading :-) Especially "wet squirrel" was funny after
serious and hard work on vlock which I had a look at. "Satellite" shows that hardware-engineers
are experiencing the same problems as computer scientists with software: it crashes all day long.
Heads up guys!


Tuesday, January 29, 2008

The evilness of setuid(getuid())






We recently had a discussion after a code review that a setuid(getuid()) inside a suid without error checking
and program execution afterwards should be fixed. A lot of people think that this could
never fail. getuid() indeed can never fail, but setuid() can. Lets put aside theoretical issues such
as missing CAP_SETUID or signals and lets have a look how the kernel is executing a setuid()
in the first picture. CAP_SETUID should be ok since we talk about a setuid root program which is
executing setuid(getuid()). Obviously we can trigger an error return of EAGAIN if set_user() fails
which is only called if the real UID is changed during the call. That may only happen if some of the set*uid() functions with a different UID than at startup time of the program has been called already.
For instance a setuid root program runs at startup with the real UID of the user and calls setuid(0)
in order to to obtain full privileges. It then calls setuid(getuid()) to drop the privileges again.
How can this fail? Lets have a look at set_user() in the second picture. Obviously if the
RLIMIT_NPROC limit is exceeded and its not setuid'ing to root (which is the case) then
an error is returned. Huh! Lowering limits is always allowed ;-)
The sample program in picture three demonstrates how a setuid root program dropping
its privileges in this way can be tricked into executing other programs as root.

I apologize if you already knew this trick. I also apologize for the madness of this' blog
editing program which always places the pictures as it wants to and which makes me nuts.







Wednesday, January 23, 2008

FireBox

In case you are tired of yet another unknown web browser vulnerability, you might
try firebox. This small script sets up a chroot environment for firefox which then runs
unprivileged, has no access to suid-files, /proc, /dev, /sys etc and can only create files
inside a loopback mount; so possible exploits triggered from evil websites can't modify
your homedir or system-files (as long as theres no kernel-0day of course :-).
Java, flash and all that sh** is not working yet but that might even be an advantage.

Friday, January 11, 2008

Happy new year!

Although a little bit late, I wish every reader a happy new year!

The 24c3 event was great. I missed some old and known faces, but had some interesting evening
with an italian a french and a dutch hacker at a steak house restaurant. Never made and heared so
many jokes on software. :-)

Even in the new year I am continously asked by the famous hakin9 magazine
to write an article for them. There must be a rumor/confusion somewhere about my person -- I am not a hacker! :-)