Re: xmonisdn (isdn4k-utils/Linux) bug report

[fw () DENEB CYGNUS ARGH ORG (Florian Weimer)]

Ron van Daal <ronvdaal () SYNTONIC NET> writes:

> That's the behaviour I would expect from xmonisdn. A setuid binary
> shouldn't dump core if it's being executed by a user which doesn't
> match the ownership of the binary. Therefore I think there are two
> problems: 1) (small) bug in xmonisdn 2) a bug in my Linux system.

If xmonisdn is setuid root on your system, you might have a gaping
security hole anyway.  Most configurations don't need a setuid
xmonisdn anymore, and if you must have it on your machine, you should
make the programs that xmonisdn calls setuid root (e.g., by using a
suidperl wrapper).  That's much safer than giving a random X11 program
root privileges, especially if the program was written without
security in mind.

This was reported some months ago and the CVS version of the isdn4kutils
was fixed, i.e. the setuid bit was removed.  Debian has upgraded their
isdn4kutils package, if your vendor didn't do that, you should contact
them and tell them.  This was the original announcement (which never
made its way to Bugtraq, the Debian fix was announced here, though):

| From: Florian Weimer <fw () s netic de>
| Subject: [SECURITY] xmonisdn: local users might gain superuser access
| Newsgroups: de.alt.comm.isdn4linux
| Date: 12 Aug 1999 10:52:32 +0200
| Message-ID: <877ln15qjz.fsf () deneb cygnus stuttgart netsurf de>
|
| I haven't seen any announcement for this yet, so here we go.
|
| There's are potential security hole in xmonisdn which might permit
| local users to gain superuser access.  xmonisdn is distributed with the
| isdn4kutils package and installed by default.
|
| The Makefile of the affected versions (isdn4kutils 3.0 betas, CVS until
| the beginning of August) installs the xmonisdn binary setuid root.
| xmonisdn uses external programs to control the status of the ISDN
| interfaces and calls theses programs via system(), without providing a
| safe version of the environment.  As long as your libc overwrites the
| IFS environment variable (which all modern versions do), the default
| installation is safe, though, because the programs xmonisdn tries to
| call don't exist (you are expected to write your own scripts, which
| requires extreme care in order to avoid creating a security hole).
|
| The fix is simple: remove the setuid bit from xmonisdn.  In most cases,
| root privileges aren't required anyway, because nowadays, `isdnctrl
| dialmode' can be used to control the interface status (which only
| requires read-write privileges on /dev/isdninfo and /dev/isdnctrl,
| which can be granted by putting users into the appropriate group).
|
| Thanks to Paul Slootman <paul () debian org> for writing the fix and
| committing it to the isdn4linux CVS.