| Next | Classic Unix Security Problems | 15 |
Now suppose real.pl is a setuid-root shell script
I'm the attacker
I make a symbolic link to real.pl:
lrwxrwxrwx 1 mjd users 7 Dec 7 16:30 bogus.pl -> real.pl
-rwsr-xr-x 1 root wheel 977 Dec 7 16:30 real.pl
Then I run bogus.pl
The kernel sees that bogus.pl is a setuid script
It reads real.pl to find the interpreter name
Then it will run /usr/bin/perl bogus.pl
In between (2) and (3), I remove bogus.pl
I replace it with a link to my-evil-script.pl
My evil script is now running as root
| Next | |
Copyright © 2005 M. J. Dominus |