Bugtraq mailing list archives
Re: ncurses 4.1 security bug
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 9 Jul 1998 21:27:24 +0200
ncurses version 4.1 fails to drop priviledges before opening the termcap database and you can set any file(s) you like. I am not sure any setuid program allows an exploit but this is not good in any case. Here is a patch that stops that game. (Using the patch requires autoconf because I have not supplied diffs against the configure script).
It seems to me that the below fix is broken; what happens if: - the program already swapped uids? (using setreuid(euid,ruid)? - you introduce a security hole - the program swapped using saved uids (using setreuid(-1. ruid)) - fine with setfsuid - but with saved uids, you reset the saved euid to ruid. (you throw way the privileges you had for good.) Juggling with uids in the library is hard; you don't know what the original uids were and you really have no way to find out.
+#ifdef HAVE_SETFSUID + /* drop privs to make sure file allowed */ + fsuid=setfsuid(getuid()); + fsgid=setfsgid(getgid()); +#else + fsuid=getuid(); + fsgid=getgid(); +#ifdef HAVE_SETREUID + /* Swap real and effective uid */ + setreuid(geteuid(), getuid()); + serregid(getegid(), getgid()); +#else + seteuid(getuid()); /* Saved ids or broken */ + setegid(getgid()); +#endif /* HAVE_SETREUID */
Current thread:
- Re: Forwared to me, (continued)
- Re: Forwared to me Raymond Medeiros (Jul 09)
- socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
- Re: Forwared to me Toomas Soome (Jul 10)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Raymond Medeiros (Jul 13)
- Re: Forwared to me Toomas Soome (Jul 13)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Jason Downs (Jul 13)
- Re: Forwared to me Illuminatus Primus (Jul 13)
- Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Warner Losh (Jul 10)
- inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
- Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)