بسمه تعالی
در بخش پنتست کتاب یک مثال آورده شده است که علت نارسایی تست جعبه سیاهی را نشان دهد
قاعدتا مثال جالبی است ولی با دانش فعلی ما فهمش ساده نیست ممکن است درباره آن کمی توضیح بدهید.
منظور از اینکه برنامه باید محیط خودش را تمیز می کرده است چیست ؟ یعنی راه حل چه بوده است ؟؟
با تشکر
The posting describes a locally exploitable security hole in ChangePassword,
which is a YP/Samba/Squid password-changing utility.
If changepassword.cgi is installed on a multiuser computer, any user with an
account on the computer can gain complete control of the computer through the
utility. The attacker can read and modify all files, watch all processes, and
perform other such nefarious activities.
The bug occurs on line 317 of changepassword.c, which calls
system("cd /var/yp && make &> /dev/null");
without cleaning its environment in any way first. This is a big no-no.
Unfortunately (or not, depending on your hat color) the Makefile arranges for
changepassword.cgi to be setuid root. A malicious user can create an exploit
as follows:
set $PATH to point to an evil make program
set $CONTENT_LENGTH to 512
set $REQUEST_METHOD to POST
feed form_user=u&form_pw=p&form_new1=x&form_new2=x& to
changepassword.cgi, where u is the username and p is the password.
The attacker's make program then runs with root privileges.
In short, you can use this CGI script to change a password and to root the box,
but not through the Web interface. Since this program doesn't clean up its
environment properly before running, you can log into the machine, put a
malicious command named make early on your path, execute the CGI script, and
you're all done.
This bug is interesting for a number of reasons.
• It's a nice example of programmers' assumptions being violated.
• It's a Web application, but you can't find the vulnerability using port 80
nonsense.
• Because the problem is related to the interaction between the program
and the environment, exploitability is tied to the configuration of the
machine.
• Your QA environment might be okay and your production server might
be vulnerable.
• You're unlikely to find it with any sort of black box penetration test since
the tester needs to look at the source code to find the problem.