Bugtraq mailing list archives

Re: RedHat 5.2 lrzsz-0.12.14-5 have serious security hole

From: yuri () KILLER CRACKSOFT KIEV UA (Yuri Kuzmenko)
Date: Tue, 1 Dec 1998 21:15:34 +0200


In article <19981201084554.A18101 () csl-gmbh net> you wrote:

Sorry. Yes, lrz is not buggy.

But "cu" program from uucp-1.06.1 (uucp.1.06.1-16 in rpm) contain this
security leak. I use "cu" as my modem terminal. "cu" set umask to zero at
self-init. I call "rz" from "cu" by ~+ command.

[3:20:45] yuri@killer:yuri$ rpm -qa|grep uucp
uucp-1.06.1-16
[3:20:45] yuri@killer:yuri$ cu -l ttyS1 -s 115200
Connected.
~+umask
000

src/uucp*/unix/init.c:

  /* We always set our file modes to exactly what we want.  */
  umask (0);

Solution is saving old umask before setting it to zero and restore after each
fork+exec.

And something about "lrz". I think that simple fopen() is not correct.
It's dangerous when other side, for example, set file mode to 0600. It's means
that _any_ user (if umask is set to world-readable), even if "sz" sending file
with user-only-access permission, can read this file while downloading.

p.s. ALL programs from this UUCP package set umask to zero. Maybe some of
parts of UUCP call another programs from itself. And all of this programs have
umask = 0. It's very bad.

On Mon, Nov 30, 1998 at 10:16:21PM +0200, Yuri Kuzmenko wrote:

lrz (Linux ZMODEM file receiver) from lrzsz package have a security hole
with file permission.

lrz create file with 0666 mode (world writable)

No, it doesn't. fopen() is not that buggy.

File mode set to normal (specifed by other side) only after downloading.

correct.

my umask is 022

I don't see a code path which doesn't honor your umask, and testing
shows that the files get created with (0666 & ~(umask)).

So what did you do? Can you tell me how to reproduce the behaviour
you have seen?

btw: I really like waking up and finding the name of software packages
i maintain (especially those i only maintain because nobody else did)
on bugtraq. It's going to be a beautiful day.
Next time just sent me an email some time before you send it to bugtraq.
Thank you.

Regards, Uwe


--
// Yuri Kuzmenko at home
// http://www.cracksoft.kiev.ua

Current thread:

Re: RedHat 5.2 lrzsz-0.12.14-5 have serious security hole Uwe Ohse (Nov 30)
- Re: RedHat 5.2 lrzsz-0.12.14-5 have serious security hole Yuri Kuzmenko (Dec 01)
- John the Ripper v1.6 Solar Designer (Dec 02)
- Security Bulletins Digest (fwd) Patrick Oonk (Dec 03)