Bugtraq mailing list archives

Re: ncurses 4.1 security bug

From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Fri, 10 Jul 1998 01:09:05 +0200


On Thu, 9 Jul 1998, Casper Dik wrote:

ncurses version 4.1 fails to drop priviledges before opening the
termcap database and you can set any file(s) you like. I am not sure
any setuid program allows an exploit but this is not good in any case.
Here is a patch that stops that game. (Using the patch requires
autoconf because I have not supplied diffs against the configure
script).


It seems to me that the below fix is broken; what happens if:

[...]

Juggling with uids in the library is hard; you don't know what the
original uids were and you really have no way to find out.


Oh my God, just another "confused deputy" (see [1])!

The library has got a filename (or a part of it). It has no reliable way
to figure out the credentials of a user who provided the filename. Even if
it had them, it would have no guarantee about being able to use them.

Moreover, there is no guarantee regarding the integrity the file, any
data read from it are "tainted". All code of the library dealing with
these data must be absolutely free of vulnerabilities.

There should be a law abolishing complex set*id programs.


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."

[1] Hardy, N., "The Confused Deputy",
    http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html

Current thread:

socks5 1.0r5 buffer overflow.., (continued)
- - - socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
    - Re: Forwared to me Toomas Soome (Jul 10)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Raymond Medeiros (Jul 13)
    - Re: Forwared to me Toomas Soome (Jul 13)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Jason Downs (Jul 13)
    - Re: Forwared to me Illuminatus Primus (Jul 13)
    - Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Casper Dik (Jul 09)
  - Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Matt Evans (Jul 09)
  - Re: ncurses 4.1 security bug Warner Losh (Jul 10)
    - inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
    - Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)
  - Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 12)