2

As part of my security class we had to exploit a number of vulnerabilities in a less secure version of ubuntu. I solved all the challenges, however I came across one problem which I am hoping someone can shed some light on.

Each challenge was a setgid binary, which when taken over would give the attacker the next level privilege. In order to be added to that level's group, one would run the command l33t which essentially ran adduser <user> <group>.

On one of my exploits, my shellcode simply made a call to exec l33t and I received this message: Insecure dependency in printf while running setgid at /usr/share/perl5/Debian/AdduserCommon.pm line 64.

To get around the problem, I created a two line bourne shell that worked fine:

#!/bin/sh
l33t

Can anyone explain why I saw the Insecure dependency problem?

Sam
  • 7,252
  • 16
  • 46
  • 65
bboe
  • 4,092
  • 3
  • 29
  • 39
  • The [perldoc for printf](http://cpansearch.perl.org/src/CWEST/ppt-0.14/html/commands/printf/printf.tchrist.html#___top) does note the issue… But doesn't help explain why =\ – David Wolever Nov 10 '10 at 18:52

1 Answers1

0

If you don't already know about taint mode: it causes all user input to be marked as “tainted”, and will refuse to output any “tainted” value (the implication being that you must explicitly “untaint” untrusted input).

Anyway, line 64 of AdduserCommon.pm is an sprintf in the dief function… So I suspect what is happening is that, when you call l33t directly, the adduser script encounters some kind of error, then the taint error is raised when adduser tries to report that error.

David Wolever
  • 148,955
  • 89
  • 346
  • 502