Bugtraq mailing list archives

Re: ncurses 4.1 security bug

From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 9 Jul 1998 21:27:24 +0200

ncurses version 4.1 fails to drop priviledges before opening the
termcap database and you can set any file(s) you like. I am not sure
any setuid program allows an exploit but this is not good in any case.
Here is a patch that stops that game. (Using the patch requires
autoconf because I have not supplied diffs against the configure
script).


It seems to me that the below fix is broken; what happens if:

    - the program already swapped uids? (using setreuid(euid,ruid)?
            - you introduce a security hole
    - the program swapped using saved uids (using setreuid(-1. ruid))
            - fine with setfsuid
            - but with saved uids, you reset the saved euid to ruid.
              (you throw way the privileges you had for good.)

Juggling with uids in the library is hard; you don't know what the
original uids were and you really have no way to find out.

+#ifdef HAVE_SETFSUID
+                               /* drop privs to make sure file allowed */
+                               fsuid=setfsuid(getuid());
+                               fsgid=setfsgid(getgid());
+#else
+                               fsuid=getuid();
+                               fsgid=getgid();
+#ifdef HAVE_SETREUID
+                               /* Swap real and effective uid */
+                               setreuid(geteuid(), getuid());
+                               serregid(getegid(), getgid());
+#else
+                               seteuid(getuid()); /* Saved ids or broken */
+                               setegid(getgid());
+#endif /* HAVE_SETREUID */

Current thread:

Re: Forwared to me, (continued)
- - - Re: Forwared to me Raymond Medeiros (Jul 09)
    - socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
    - Re: Forwared to me Toomas Soome (Jul 10)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Raymond Medeiros (Jul 13)
    - Re: Forwared to me Toomas Soome (Jul 13)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Jason Downs (Jul 13)
    - Re: Forwared to me Illuminatus Primus (Jul 13)
    - Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Casper Dik (Jul 09)
  - Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Matt Evans (Jul 09)
  - Re: ncurses 4.1 security bug Warner Losh (Jul 10)
    - inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
    - Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)
  - Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)

(Thread continues...)