Bugtraq mailing list archives
Re: [Re: Several FreeBSD-3.3 vulnerabilities]
From: btellier () USA NET (Brock Tellier)
Date: Wed, 1 Dec 1999 13:21:44 MST
Kris Kennaway <kris () hub freebsd org> wrote: On Tue, 30 Nov 1999, Brock Tellier wrote:
All of the vulnerabilities discussed herein are based on my work on FreeBSD 3.3-RELEASE. Each of the programs was installed with the default permissions given when unpacked with sysinstall. These permissions are: -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon
This one was fixed a month ago after your last advisory. Obviously, if you're still using the same version of the OS you used in your initial advisory, it's not going to be fixed :-)
No, I mentioned that older hole but I also revealed six more that were equally serious and presumably unpatched. Unless your fix was to remove the suid-bit by default, seyon would still be vulnerable.
-rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
This one is a hole in the vendor-provided software, which wants to >install it setuid uucp by default. With ~2800 third-party apps shipped with FreeBSD, we can't be held responsible for the security of all of them :-)
This is the statement I have a bit of a problem with. Sure there are 2800 ports, but how many of these are suid/sgid? I'm thinking *maybe* 50 that I saw when I did a full install of 3.3-RELEASE. Fifty apps, most of which are small like xmindpath, isn't a ridiculous number to audit. At LEAST auditing them for command-line overflows and setting up a /tmp watcher. You may not be legally responsible, or be able to take responsibility for the quality of the code, but when you allow a third-party to put a *suid* program into your distribution you imply some sort of trust with the end-user regarding it's security integrity. At least to the point that we can assume that someone has taken the time to xmindpath -arg $BUF. Note that this isn't specifically directed at FreeBSD or free OS's.
-r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband
This one is our fault (in the sense that installing it setgid games so it can write a high score file is not something the software does by default).
Your advisory wasn't clear whether or not you contacted the port maintainers directly about these, and they were just slow off the mark, >or if it was just security-officer () freebsd org. Assuming the former, one way of expediting the process would be to send mail to the (new) audit () freebsd org mailing list which has several people who will be quite happy to do some butt-kicking to get a response :-)
No, I contacted security-officer () freebsd org who responded that HE had contacted the maintainers. That was the last I ever heard of it. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: [Re: Several FreeBSD-3.3 vulnerabilities] Brock Tellier (Dec 01)
- Re: [Re: Several FreeBSD-3.3 vulnerabilities] Robert Watson (Dec 02)
- UnixWare coredumps follow symlinks Brock Tellier (Dec 02)
- Apologies to USSRLABS Arvel Hathcock (Dec 03)
- idlescan (ip.id portscanner) LiquidK (Dec 03)
- Re: idlescan (ip.id portscanner) marvin () NSS NU (Dec 04)
- Re: Security Advisory: Buffer overflow in RSAREF2 Niels Provos (Dec 04)
- UnixWare pkg* command exploits Brock Tellier (Dec 04)