Bugtraq mailing list archives
Re: Splitvt exploit
From: joey () KITENET NET (Joey Hess)
Date: Wed, 14 Jun 2000 19:28:37 -0700
syzop wrote:
Splitvt 1.6.3 contains a buffer overflow, if you have installed splitvt suid root (like Debian/Redhat/etc, btw not slackware) you should upgrade to 1.6.4. Solution ======= Debian users: see http://www.debian.org/security/2000/20000605a
Note that in addition to the above fix, version 1.6.4-3 of splitvt in Debian is no longer suid root, just sgid utmp. If any further security holes are found (the program could use a thurough audit), I hope this will greatly reduce the magnitude of the exploit. A patch for glibc systems follows, which I have already sent to the author of splitvt. Index: misc.c =================================================================== RCS file: /home/cvs/repository/joey-cvs/public/packages/splitvt/misc.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 misc.c --- misc.c 1999/09/11 08:27:29 1.1.1.1 +++ misc.c 2000/06/14 22:02:47 @@ -108,6 +108,9 @@ /* Set our uid to our real uid if necessary */ (void) setuid(getuid()); + /* Same for gid (program may be setgid utmp on some + * systems). */ + (void) setgid(getgid()); /* Run the requested program, with possible leading dash. */ execvp(((*argv[0] == '-') ? argv[0]+1 : argv[0]), argv); @@ -181,12 +184,18 @@ #else /* ! IRIX */ -#ifdef SOLARIS /* System V.4 pty routines from W. Richard Stevens */ +#if defined(SOLARIS) || defined(__GLIBC__) +/* System V.4 pty routines from W. Richard Stevens */ +/* GLIBC is very similar, so this will handle it too. */ +#ifdef SOLARIS + #include <stropts.h> #define DEV_CLONE "/dev/ptmx" +#endif + extern char *ptsname(); int get_master_pty() @@ -194,9 +203,14 @@ char *ttyptr; +#ifdef SOLARIS if ( (master_fd=open(DEV_CLONE, O_RDWR)) < 0 ) return(-1); - +#else /* GLIBC */ + if ( (master_fd=getpt()) == -1 ) + return (-1); +#endif + if ( grantpt(master_fd) < 0 ) /* grant access to slave */ { close(master_fd); @@ -240,6 +254,7 @@ return(-1); } +#ifdef SOLARIS if ( ioctl(slave_fd, I_PUSH, "ptem") < 0 ) { close(master_fd); @@ -260,7 +275,8 @@ close(slave_fd); return(-1); } - +#endif + return(slave_fd); } Index: utmp.c =================================================================== RCS file: /home/cvs/repository/joey-cvs/public/packages/splitvt/utmp.c,v retrieving revision 1.2 diff -u -r1.2 utmp.c --- utmp.c 1999/09/11 08:27:38 1.2 +++ utmp.c 2000/06/14 22:02:47 @@ -187,12 +187,13 @@ #endif (void) time(&ut.ut_time); -#if !defined(SOLARIS) && !defined(IRIX) - /* Solaris and Irix machines do this automatically */ +#if !defined(SOLARIS) && !defined(IRIX) && !defined(__GLIBC__) + /* Solaris and Irix and GLIBC machines do this automatically */ /* Change the ownership and mode of the tty */ if ( stat(tty, &sb) == 0 ) { (void) chmod(tty, 0620); /* crw--w---- */ (void) chown(tty, uid, sb.st_gid); + } #endif return(set_utmp(tty, &ut)); -- see shy jo, splitvt maintainer for Debian <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: Snort 1.6 and nmap 2.54beta1, (continued)
- Re: Snort 1.6 and nmap 2.54beta1 Simple Nomad (Jun 14)
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
- Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
- Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Andrey Savochkin (Jun 16)
- Re: Splitvt exploit Joey Hess (Jun 16)
- NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Kris Kennaway (Jun 15)
- Re-release of IIS 5.0 Patch for MS00-031 Microsoft Product Security (Jun 16)
- Infosec.20000617.panda.a Ian Vitek (Jun 17)
- Reliable Software Technologies releases new e-mail virus protection software Tim Hollebeek (Jun 14)
- Microsoft Security Bulletin (MS00-041) Microsoft Product Security (Jun 14)