Re: Advisory: mgetty local compromise

[Stan Bubrouski <satan () fastdial net>]

Gert Doering wrote:

> Hi,
>
> aren't there things you *REALLY* hate?  This is one of them.

Hate is strong word.  Mistakes are mistakes.  Move on.  If you really
hate things so much why not post them yourself to save others the trouble
of reporting the problem?  You know this ships with most of the most
popular linux distributions, so chances are that people are affected by this.

> On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
> > Author                 : Stan Bubrouski
> > Date                    : August 26, 2000
> > Package              : mgetty
> > Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
> > Severity               : faxrunqd follows symbolic links when creating
> > certain files. The default location for the files is /var/spool/fax/outgoing,
> > which is a world-writable directory. Local users can destroy the contents
> > of any file on a mounted filesystem because faxrunqd is usually run by root.
> >
> > Problem              : mgetty comes with a program named faxrunqd, which is
> > a daemon to send fax jobs queued by faxspool(1).  Upon successful execution,
> > a file named .last_run is created in the /var/spool/fax/outgoing/
> > directory which is world-writable.  The problem lies in the fact faxrunqd
> > will follow symlinks created by any user, allowing file creation anywhere
> > and allowing existing files to be overwritten/destroyed.
>
> First of all, this hole does NOT exist anymore in 1.1.22.  It has been
> reported to me by the FreeBSD people, and closed on August 14, 2000.

Yeah and this report was constructed based on what I wrote on June 2nd
and was subsequently ignored.

> 1.1.22 has been released on August 17, 2000, and can be found on the usual
> places (http://alpha.greenie.net/mgetty/).

Yeah I know.  It was an error.  I meant to put that in a "Versions unaffected:"
row, but for some reason left on the same line as unaffected.  See I had actually
reported this to bugtraq over two months ago, and only one vendor addressed
the problem and they did it covertly so nobody knew.  It didn't help either that
when I made the original report I had it listed in a message explaining compromises

on Red Hat Linux 6.2 and so the scope of the problem was never recognized.
I only made this report to clarify the vulnerability and because it had now been
fixed.  My original report was to Red Hat on June 2, 2000.  It's the same as in
the advisory except it only shows how it is a problem.  That is
at http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11874


> So, please, get your facts right before posting.
>
> Second, I am really annoyed to find this on bugtraq, with false data,
> without any prior contact.  The fact that I just released 1.1.22 should
> give you enough hint that I am still maintaining mgetty, and sending me a
> quick mal "hey, is this bug still open?" would have been in order.
>
> Also, it would have saved *you* the embarrassment to report something to
> bugtraq that is already fixed.

Not sure I understand this.  I thought thats what vendors usually want.
A report on a vulnerability after a patch or fix is available.  If this is not
the case please let me know, I have scathing holes in other software that
are not public because they have yet to be fixed.  Get real.  I don't
get embarressed by a simple typo, do you?

> Vendor releases might still be vulnerable (shipping old versions), but as
> faxrunqd(8) isn't usually run by default, a "standard system" should NOT
> be vulnerable.  *If* you run faxrunqd, though, upgrade to 1.1.22 (but
> those of you that do, you know who you are...)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert () greenie muc de
> fax: +49-89-35655025                        gert.doering () physik tu-muenchen de

Later.

Stan Bubrouski