App - System

Friday 19 July 2019, 15:07 #1

[FAQ] dash is now dropping its privileges!

57 posts

“When exploiting a setuid binary, I get a shell but it has the same permissions I had when running it?”

For security reasons and for about 15 years bash has been dropping its privileges if the effective uid is not the same as the real uid. Consequently, dash, which is symlinked by /bin/sh on our machines, received a patch in early 2018 and now does the same.

From the bash man page: If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.

There are several ways around this:
– use a shellcode that sets the uid/gid you want
– use a shellcode that passes the ’-p’ option so that the effective uid is not reset
– use a legacy shellcode but point it to your wrapper /tmp/xx that does a setreuid() then system()

Here’s a wrapper example you could place in a writeable directory such as /tmp/:

#include <stdlib.h>

#include <unistd.h>



int main(void)

{

   setreuid(0, 0); // 0 is root, might need to be modified for your user

   system("/bin/bash");



   return 0;

}

Cheers

New reply

New topic