|Next||Classic Unix Security Problems||9|
Unix has a little-known system call chroot()
It's like chdir()
But instead of changing a process's idea of the current directory...
It changes the process's idea of where the root directory is
Manufacture /tmp/attack/etc/passwd, /tmp/attack/bin/sh, etc.
Run su root
su will prompt for the root password
Will check it against /etc/passwd
But /etc/passwd is really /tmp/attack/etc/passwd
Then it will run a shell for us with UID 0!
Then we can wreak all sorts of havoc
Solution: only root may use chroot().
|Next||Copyright © 2005 M. J. Dominus|