The Dangers of SetUID
Wed Oct 09 2002
By: Zaxil

I assume while writing this that the reader understands basic *nix commands. If
your not sure what SetUID is feel, free to run "man setuid". That explains it all and
saves this fine magazine some room. Now with this said lets start with saying that
setting UID's is usually a bad idea. If someone who has a clue is trying to root your
machine and they run into something that they have access to, and has its UID set
higher than theirs. Its a safe bet that they'll play with it a bit. Why would someone
play with this? What do they hope to gain from this? Well those questions are easy
enough.

The attacker is most commonly trying to make these do one of two things, Drop him
into a shell belonging to that UID or to have the program execute commands at that
UID. Let give an example. Lets say for some reason we have a mail account that
has access to everything dealing with mail and emails on your server. Someone
writes a nice script to make your life easier but it uses setuid to run all commands
with the UID of the mail account. Well later someone notices this and exploits it to
do one of the two things stated above. Oh look, he know has control of all of our
mail. A quick example that I could drag on but I'm just trying to give you all more of
an idea of how this can be bad. Now onto some ways that these things are
exploited. I was playing a wargame the other day and all these examples are from
that.

Simple examples once again so don't think its always this easy in fact most of them
shouldn't be this easy. Usually you try to alter the programs environment in an
unexpected way. Now lets say someone has a script of course setuid on. They
decided to use more in this script to display text. Anyone know the problem to this
offhand? Well if we issue a "man more" and look over the page we notice if we push
! we get dumped into a little shell. Thanks more, now everyone gets to run
commands with the UID of our little script. Another example, someone has a
program that for some reason runs the file command at one point in it and waits for
us to input the directory, which from there it would do other things to this directory.

Well after thinking about this for a good second we decide to try to enter "
;command" Why? Well remember what the ; does. So after it runs the file command
the shell notices the semicolon and runs the command behind it for us. Now I'm
going to give one more example. Lets say there's a program that when ran just
displays something to the screen and exits so it doesn't even give us a chance to
input anything. Lets say this file doesn't use the absolute path it decides to use the
relative. It uses cat ./happy well we want to see if it does so we move it or
something to that extent so we can run it to another directory.

Then we just recreate happy in this new directory or we can have it as a link
pointing to something else. Then we get to view this thanks to this script. As to
why you would want to view a file, there's all kinds of reasons but I think everyone
can figure it out on their own. These are very trivial to give you all an idea. If
anyone wants to know more about setuid send me an email or check out the link at
the bottom of this. If enough people are still curious or if I have time I'll write and
advanced article on this.