"Eric P." wrote:
>
> Hello,
> I'm not sure to who I should send this so if it is the
> wrong list could someone please direct me to the correct
> one.
> I was just wondering why a core dump or a buffer overflow
> in a suid task could give a user or someone root control a
> system.
> What would cause this and mostly why?
> If I've used incorrect terms can someone also correct me.
> thank you
> Eric P.
>
> _____________________________________________________________
> Do You Yahoo!?
> Bid and sell for free at http://auctions.yahoo.com
AFAIK, a core dump, by itself, cannot give root access to anyone.
A buffer overflow is another issue entirely. Here's what happens:
Let's say you have a program called Server that runs setuid root. One
of the tasks for this program is reading information from users (URLs or
something maybe). Like most UNIX/Linux programs Server is written in C
which doesn't do dynamic string allocation--it's all up to the
programmer. So let's say the programmer has done something like this:
char buffer[80];
.
.
.
gets(buffer);
Since gets just gets characters until it can't get no more, buffer could
get more than the alloted 80 characters. This is a buffer overflow.
Why is it dangerous?
Because when you start putting data in unallocated memory spaces one of
two things can happen:
1) a segmentation fault resulting in a core dump
2) worse, you might overwrite some real data in memory
This second problem is what crackers look for. What they really want to
find is a buffer overflow that overwrites a function return pointer.
See, when you call a function the program has to store a pointer to the
next statement to execute upon return. With a little bit of luck a
cracker can stuff your buffer overflow with exactly the right amount of
exactly the right value so that the return pointer gets overwritten with
a pointer to a function of HIS devising.
Aha! So when that function returns, HIS code will be run under the user
of the Server program--which was running as root. Yikes!
--
My public encryption key is available from
www.az.com/~drysdam/crypt/rysdam.gpg.html
and of course www.keyserver.net
