Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Splitvt exploit

From: joey () KITENET NET (Joey Hess)
Date: Wed, 14 Jun 2000 19:28:37 -0700

syzop wrote:

Splitvt 1.6.3 contains a buffer overflow, if you have installed splitvt suid root (like
Debian/Redhat/etc, btw not slackware) you should upgrade to 1.6.4.

Solution
=======
Debian users:
see http://www.debian.org/security/2000/20000605a


Note that in addition to the above fix, version 1.6.4-3 of splitvt in
Debian is no longer suid root, just sgid utmp. If any further security
holes are found (the program could use a thurough audit), I hope this
will greatly reduce the magnitude of the exploit. A patch for glibc
systems follows, which I have already sent to the author of splitvt.

Index: misc.c
===================================================================
RCS file: /home/cvs/repository/joey-cvs/public/packages/splitvt/misc.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 misc.c
--- misc.c      1999/09/11 08:27:29     1.1.1.1
+++ misc.c      2000/06/14 22:02:47
@@ -108,6 +108,9 @@
 
                 /* Set our uid to our real uid if necessary */
                 (void) setuid(getuid());
+               /* Same for gid (program may be setgid utmp on some
+                * systems). */
+               (void) setgid(getgid());
                         
                 /* Run the requested program, with possible leading dash. */
                 execvp(((*argv[0] == '-') ? argv[0]+1 : argv[0]), argv);
@@ -181,12 +184,18 @@
 #else /* ! IRIX */
 
 
-#ifdef SOLARIS         /* System V.4 pty routines from W. Richard Stevens */
+#if defined(SOLARIS) || defined(__GLIBC__)
+/* System V.4 pty routines from W. Richard Stevens */
+/* GLIBC is very similar, so this will handle it too. */
 
+#ifdef SOLARIS
+
 #include <stropts.h>
 
 #define DEV_CLONE      "/dev/ptmx"
 
+#endif
+
 extern char *ptsname();
 
 int get_master_pty()
@@ -194,9 +203,14 @@
 
         char   *ttyptr;
 
+#ifdef SOLARIS
         if ( (master_fd=open(DEV_CLONE, O_RDWR)) < 0 )
                 return(-1);
-
+#else /* GLIBC */
+       if ( (master_fd=getpt()) == -1 )
+               return (-1);
+#endif
+       
         if ( grantpt(master_fd) < 0 )  /* grant access to slave */
         {
                 close(master_fd);
@@ -240,6 +254,7 @@
                 return(-1);
         }
 
+#ifdef SOLARIS
         if ( ioctl(slave_fd, I_PUSH, "ptem") < 0 )
         {
                 close(master_fd);
@@ -260,7 +275,8 @@
                 close(slave_fd);
                 return(-1);
         }
-
+#endif
+       
         return(slave_fd);
 }
 
Index: utmp.c
===================================================================
RCS file: /home/cvs/repository/joey-cvs/public/packages/splitvt/utmp.c,v
retrieving revision 1.2
diff -u -r1.2 utmp.c
--- utmp.c      1999/09/11 08:27:38     1.2
+++ utmp.c      2000/06/14 22:02:47
@@ -187,12 +187,13 @@
 #endif
         (void) time(&ut.ut_time);
 
-#if !defined(SOLARIS) && !defined(IRIX)
-       /* Solaris and Irix machines do this automatically */
+#if !defined(SOLARIS) && !defined(IRIX) && !defined(__GLIBC__)
+       /* Solaris and Irix and GLIBC machines do this automatically */
         /* Change the ownership and mode of the tty */
         if ( stat(tty, &sb) == 0 ) {
                 (void) chmod(tty, 0620);  /* crw--w---- */
                 (void) chown(tty, uid, sb.st_gid);
+               
         }
 #endif
         return(set_utmp(tty, &ut));


-- 
see shy jo, splitvt maintainer for Debian


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: