Bugtraq mailing list archives
Re: ncurses 4.1 security bug
From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Fri, 10 Jul 1998 01:09:05 +0200
On Thu, 9 Jul 1998, Casper Dik wrote:
ncurses version 4.1 fails to drop priviledges before opening the termcap database and you can set any file(s) you like. I am not sure any setuid program allows an exploit but this is not good in any case. Here is a patch that stops that game. (Using the patch requires autoconf because I have not supplied diffs against the configure script).It seems to me that the below fix is broken; what happens if:
[...]
Juggling with uids in the library is hard; you don't know what the original uids were and you really have no way to find out.
Oh my God, just another "confused deputy" (see [1])! The library has got a filename (or a part of it). It has no reliable way to figure out the credentials of a user who provided the filename. Even if it had them, it would have no guarantee about being able to use them. Moreover, there is no guarantee regarding the integrity the file, any data read from it are "tainted". All code of the library dealing with these data must be absolutely free of vulnerabilities. There should be a law abolishing complex set*id programs. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "You can't be truly paranoid unless you're sure they have already got you." [1] Hardy, N., "The Confused Deputy", http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
Current thread:
- socks5 1.0r5 buffer overflow.., (continued)
- socks5 1.0r5 buffer overflow.. Zach Brown (Jul 10)
- Re: Forwared to me Toomas Soome (Jul 10)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Raymond Medeiros (Jul 13)
- Re: Forwared to me Toomas Soome (Jul 13)
- Re: Forwared to me Michael H. Warfield (Jul 13)
- Re: Forwared to me Jason Downs (Jul 13)
- Re: Forwared to me Illuminatus Primus (Jul 13)
- Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Warner Losh (Jul 10)
- inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
- Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug David Schwartz (Jul 11)