| Next | Classic Unix Security Problems | 11 |
Attack:
close(2)
Run passwd
passwd opens the password file for writing
A newly-opened file uses the lowest available descriptor
In this case, 2
Then passwd writes the prompt to stderr
That is, to descriptor 2
The prompt is written into the password file!
With potentially disastrous results
Solution: ???????
Conclusion: setuid programs are very hard to get right!
| Next | |
Copyright © 2005 M. J. Dominus |