Re: [Re: Several FreeBSD-3.3 vulnerabilities]

[btellier () USA NET (Brock Tellier)]

Kris Kennaway <kris () hub freebsd org> wrote:
On Tue, 30 Nov 1999, Brock Tellier wrote:

> > All of the vulnerabilities discussed herein are based on my work on
> > FreeBSD 3.3-RELEASE. Each of the programs was installed with the
> > default permissions given when unpacked with sysinstall. 
> > These permissions are:
> > -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon

> This one was fixed a month ago after your last advisory. Obviously, if
> you're still using the same version of the OS you used in your initial
> advisory, it's not going to be fixed :-)

No, I mentioned that older hole but I also revealed six more that were equally
serious and presumably unpatched.  Unless your fix was to remove the suid-bit
by default, seyon would still be vulnerable.

> > -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath

> This one is a hole in the vendor-provided software, which wants to >install
> it setuid uucp by default. With ~2800 third-party apps shipped with
> FreeBSD, we can't be held responsible for the security of all of them :-)

This is the statement I have a bit of a problem with.  Sure there are 2800
ports, but how many of these are suid/sgid?  I'm thinking *maybe* 50 that I
saw when I did a full install of 3.3-RELEASE.  Fifty apps, most of which are
small like xmindpath, isn't a ridiculous number to audit.  At LEAST auditing
them for command-line overflows and setting up a /tmp watcher.  
You may not be legally responsible, or be able to take responsibility for the
quality of the code, but when you allow a third-party to put a *suid* program
into your distribution you imply some sort of trust with the end-user
regarding it's security integrity.  At least to the point that we can assume
that someone has taken the time to xmindpath -arg $BUF.  Note that this isn't
specifically directed at FreeBSD or free OS's.

> > -r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband

> This one is our fault (in the sense that installing it setgid games so it
> can write a high score file is not something the software does by
> default).

> Your advisory wasn't clear whether or not you contacted the port
> maintainers directly about these, and they were just slow off the mark, >or
> if it was just security-officer () freebsd org. Assuming the former, one way
> of expediting the process would be to send mail to the (new)
> audit () freebsd org mailing list which has several people who will be quite
> happy to do some butt-kicking to get a response :-)

No, I contacted security-officer () freebsd org who responded that HE had
contacted the maintainers.  That was the last I ever heard of it.  

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1