[cap-talk] Confused Deputy (definitions)

[Sandro Magi]

Charles Landau wrote:
> I would like to replace the passwd example with an example that 
> follows Ping's pattern #2, but phrased in Unix terms which will be 
> more relevant and updated than Norm's example. Can someone who is 
> more familiar with Unix than I am suggest such an example?

As a starting point, if Unix were a pure access list system and not a
hybrid ACL-capability system, the following C program would confuse
passwd and have it overwrite /etc/passwd:

#include <unistd.h>

int main(int argc, char** argv) {
  int etc_passwd = fopen("/etc/passwd", "r"); /*encapsulated "read"
permission avoids confused deputy*/
  /* redirect stdout and stderr to /etc/passwd */
  close(1);
  dup(etc_passwd);
  close(2);
  dup(etc_passwd);
  close(etc_passwd);
  /* execute passwd with the redirected stdout and stderr */
  execv("/usr/bin/passwd", argv);
  return 0;
}

The attack only fails because file descriptors are capabilities granted
to passwd. If the etc_passwd descriptor did not encapsulate the
permission, the access check would have been performed by passwd when it
tried to print messages to the screen; I believe this would have been a
legitimate confused deputy attack.

The only other possibility I can think of is to find a setuid executable
that accepts a file path as a command line argument to read and/or write.

Sandro