Code Question - System Security

Null Set

I wanna test a few people on this :)
# I originally posted this in securityoverride.com

Situation: computer running an 11.04 Ubuntu has a file in the desktop named "safe".

This program has the code of:


#include &lt;stdlib&#46;h&gt;

int main(){

     system(\"uname\");

     return 0;

}

Question: Is this program really safe to run in all cases?

Will give the answer later on.

Sh3llc0d3

Well firstly system() is nasty and shouldn't be used :P

But no it's not. :).

sangf

i voted yes, the only situation i could think of it being unsafe, was if uname is foreign software and is executed at the same permission level as the safe program, but that wouldn't make any sense because uname must be installed for it to be invoked like that. i guess there's something more to system() i don't know, or some semantics going on here :P

Sh3llc0d3

said:

i voted yes, the only situation i could think of it being unsafe, was if uname is foreign software and is executed at the same permission level as the safe program, but that wouldn't make any sense because uname must be installed for it to be invoked like that. i guess there's something more to system() i don't know, or some semantics going on here :P

[spoiler=My Reason]system() is not specific there's no checks on the program it executes ('uname'). uname located in usr/bin/ (I believe - i'm not in linux atm) can be edited if the person has the permissions to do so. Or just delete uname and replace it with a malicious file. The question is...

"Is this program really safe to run in all cases?"

It's not safe in all cases :)[/spoiler]

D0WNGRADE

I agree with Sh3llc0d3. His reasoning is exactly what I was thinking. :P

undead

This is what I also thought at the first glance at the code.

I tested it at my backtrack vm and this is the result
http://i.imgur.com/ZHHHK.png

I can't think sth else :)

Sh3llc0d3

Nice demo Undead. Proves the point very nicely :)

Null Set

Nice job. :D since a good answer has been given here already, I'll refer to that. Another method is to change the PATH to point to where your attack file is. If it's in /tmp for example, just do: PATH=/tmp

This code is not safe in all cases, only in some. :)

Thanks for participating.

Sh3llc0d3

Thanks for the little test, hope you come up with some more soon :P

undead

Is this safe?

#!/usr/bin/python
import os
ip = raw_input(\"Ping IP&#58; \")
os&#46;system(\"ping \" + ip)

^ this one is easy :p

Null Set

said:
Is this safe?
#!/usr/bin/python
import os
ip = raw_input(\"Ping IP&#58; \")
os&#46;system(\"ping \" + ip)
^ this one is easy :p

i'd think it's unsafe by the same logic as before. It's still using a system() function which will still be as vulnerable as the previous code.

sangf

that's what i thought, the only real difference is a user-specified string of data sent as a parameter. also, i just noticed that by the same logic, executing a python script.. or any script with a #bang is considered 'unsafe'; a bit pedantic, maybe? :P

undead

You can replace ping but the other thing you can do here is this:
[spoiler]
http://i.imgur.com/ZBC2C.png[/spoiler]

Xin

I'm too late for this but yeah not safe.

Howdy, Stranger!

Top Posters

Who's Online (3)