i was reading a few articles over the holiday weekend concerning stack ovewrflow exploits and how they are used to gain root shell access.

my question is this: if i set /bin/false to be root's login shell and have, say, wu-ftp.xxx running suid root. wu-ftp.xxx just so happens to be vulnerable to stack overflows.

am i still vulnerable if root doesnt really have an actual shell? how could a root shell be spawned if there is no shell to use?

thanks http://www.linuxnewbie.org/ubb/biggrin.gif

Hmm... you have to understand, that when a program is SUID root, it means that it runs under root's UID. It doesn't matter what shell root is using. If you look at the code for buffer overflow exploits, you'll see that the shellcode contains the code for starting it's own shell, in the most common case, /bin/sh. So when the SUID program (running as root) starts /bin/sh, then /bin/sh is actually running as root. And therefore, you get a rootshell.

Hope that helps.

okay i gotcha...

but lets say someone tries executing a stack overflow and tried spawning a shell which didnt exist on my box, then it wouldnt work, right?

still, i suppose, they could edit the overflow string and change it to any shell they wanted until it spawned a shell

thanks for the reply http://www.linuxnewbie.org/ubb/biggrin.gif

Yes, if the shell didn't exist, then the shellcode would fail. And yes, the shellcode can be modified to execute a different shell that does exist.