Insecure dependency in printf while running setgid
https://stackoverflow.com/questions/4147897
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
As part of my security class we had to exploit a number of vulnerabilities in a less secure version of ubuntu. I solved all the challenges, however I came across one problem which I am hoping someone can shed some light on.
Each challenge was a setgid binary, which when taken over would give the attacker the next level privilege. In order to be added to that level's group, one would run the command l33t which essentially ran adduser <user> <group>.
On one of my exploits, my shellcode simply made a call to exec l33t and I received this message: Insecure dependency in printf while running setgid at /usr/share/perl5/Debian/AdduserCommon.pm line 64.
To get around the problem, I created a two line bourne shell that worked fine:
#!/bin/sh
l33t
Can anyone explain why I saw the Insecure dependency problem?
Solução
If you don't already know about taint mode: it causes all user input to be marked as “tainted”, and will refuse to output any “tainted” value (the implication being that you must explicitly “untaint” untrusted input).
Anyway, line 64 of AdduserCommon.pm is an sprintf in the dief function… So I suspect what is happening is that, when you call l33t directly, the adduser script encounters some kind of error, then the taint error is raised when adduser tries to report that error.
