Thread: system() vulnerable to a buffer overflow?

I very much doubt there is anything you can do to gain privileges, unless "exploitme" itself has suid privileges [and there is no reason for such an application to be given suid].

In the example given by Jon Erickson in Linux Magazine, the application is given suid privileges, and after that, the stack overflow is used to make the application propagate those privileges to other functions in the system, for example by calling system(). But system in and of itself is not a function that can be exploited [at least as far as I can determine by reading the source of it].

--
Mats

Giving totally unfiltered user input to a system call is not an exploit, it's pure stupidity. Don't use system() if you don't have to, read the FAQ on why it is bad. Thinking about exploitable holes in system() is like looking for dangerous parts on a tank. It is the dangerous part.

Originally Posted by robwhit

argc is only defined to be non-negative. So then argc[1] might be an overflow.

True, except for POSIX systems, where argc must be positive, and argv[argc] must be NULL.

Originally Posted by nvoigt

Giving totally unfiltered user input to a system call is not an exploit, it's pure stupidity. Don't use system() if you don't have to, read the FAQ on why it is bad. Thinking about exploitable holes in system() is like looking for dangerous parts on a tank. It is the dangerous part.

Yes, but it's system() itself is not in itself allowing privilege elevation - it allows the user to specify what else to run, but the general principle of privilege elevation is that you need to find a way to get into an application that already has privilieges that you wish to (ab)use. So a privileged applicaiton using system() would be a bad thing [because the user could change what system actually does, either by substituting what is passed into system, or by modifying/substituting the executable run system() in itself].

It's a bit like your analogy of the tank - it is only dangerous if you are OUTSIDE the tank. Inside the tank is quite safe [relatively speaking]. In the same way, a non-privileged application is quite safe [towards the rest of the OS], whilst the dangerous applications are those that have privileges. If you can somehow find a way to make a privileged application perform YOUR tasks, then you have [essentially] achieved unrestricted privileged access.

But the function system() in itself does not give privileges.

--
Mats