Re: rh 6.2 - gid compromises, etc [+ MORE!!!]

[satan () FASTDIAL NET (Stan Bubrouski)]

Ya know the sad thing is I pointed out these problems in 
bugzilla posts the gkermit being sgid uucp I reported
two+ weeks ago.  No response.  My description of the
gkermit bug which I reported couple weeks ago can be
found here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11870

The slrn problem I attempted to fix around three weeks
ago, I submitted a patch to the maintainer, no response
however.  On June 20th I reported the slrn problems on
bugzilla and submitted a rough patch to fix a few problems
including the slrnpull one along with potential remote
overflows if group names excede certain lengths.  Check
out my bugzilla post for more detailed info and usable
patch: 
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=12750

While we're on the subject, I might as well mention a couple
other things I've posted to red hat's bugzilla in the past
few weeks/months that haven't trickled there way into here
yet.

The C-Kermit package that comes on the Powertools CD with
Red Hat 6.2 is installed sgid uucp as well and contains
a plethera of unchecked buffers than can be used to run
commands as gid uucp. Details can be found here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723

Another package that shipped with Red Hat 6.2 that has
some trouble is diskcheck.  Diskcheck is a program that
run hourly by cron that creates an e-mail message in
/tmp with a warning about drives over 90% full, and if
a drive is 90% full it sends the message.  Unfortunately
the name is too predictable and because the file is created
hourly regardless of how much disk space is left there is
a race condition that allows any file on any mounted
filesystem to be overwritten.  This is fixed in latest
rawhide release.  Details can be found here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723

The Mgetty-sendfax package has a symlink problem as well.
When faxrunqd is run it creates a file named .last_run 
in the world-writable /var/spool/fax/outgoing directory
and wouldn't you know it follows symlinks and gladly
smashes any file you feel like smashing.  More details
can be found at:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11874

More about mentioned kerberos problems.  A while ago I
reported a DoS in ksu to the kerberos team, and I'm
assuming it is now fixed because it did appear in the
CERT advisory I think, either way here's a clear
picture of how to exploit it:

# doexec ksu `perl -e'print "A" x 100000;'`

that's it.  If ksu is suid on your system (this was
tested only krb5-1.1.1) then you may be vulnerable.
When using the packages provided with redhat linux
6.2 the above froze my machine and even sysreq keys
to sync drives and unmount do not work.  More details:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11107

Want more? I've got more!!!  Gnome uses eSound for
sound stuff, at least newest versions do, anyway,
the eSound library creates a directory in /tmp named
.esd which is of course Mode: (0777/drwxrwxrwx) and
creates a socket named socket in /tmp/.esd and keep
in mind this occurs each time gnome is run.  So
what's the problem?  If /tmp/.esd is a symlink, esound
will gladly create socket wherever the symlink points
to like / or /etc/cron.daily or any other place your
creative mind can come up with.  Could be a problem if
it is created where another program looks for a socket
named socket as well.  Nifty eh?  Yeah I know not really.

Want even MOOOOOORE? Ok...on to the famed imapd (by famed
I refer to its lack of security and maintainers carefree
attitude towards NOT using bounds-checking though this
problem is unrelated.)  I found a remote DoS against imapd
that can be done by regular mail users.  Here's a session:
* OK linux.local IMAP4rev1 v12.264 server ready
x login sb testpass
x OK LOGIN completed
x list ""  
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
/*
[I diconnected without logging out]

Because imap can take literally hours to process long
queries like that the session continues even after I
disconnect.
root console on linux *45* minutes later!!!:

[root@linux /root]# ps aux | grep imapd
sb  1213 92.0  2.7  2740 1256 ? R  17:56  45:06 imapd

On my machine, after 30 of those processes were running this 
is what I got when I tried to connect to my imapd:
[root@king /root]# telnet linux 143
Trying 192.168.0.3...
telnet: Unable to connect to remote host: Connection refused

imapd refuses to accept connections and thus the DoS is
affective.  I reported this to redhat 2 months ago and
no response to my post so for details and cheesy exploit
check out:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11052

Ok now want some final food for thought?  Netscape
Communicator and Navigator security preferences are
really just simple html forms that get submitted to an
internal parser.  What nobody seems to recognize is that
there is nothing preventing a webpage from including
such a form that when submitted could change a user's
security preferences.  If all the correct fields are
not present on one of these forms netscape will crash
100% of the time when a form is submitted to it's
internal parser so in the very least it gives fresh
new series of DoS attacks against netscape browsers on
ALL platforms, windows and unix/linux alike.  More
details here:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11725

Minor probs:

top program that ships with redhat has some buffer 
overflows most notably huge HOME variable will crash 
it upon startup.  No harm since it's not suid or sgid.

tcp_wrappers has buffer overflow when argv[0] is big
and may have another potential overflow (would be more
serious) in code dealing with hosts and users more info
plus crappy patches can be found at:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11881

It's 3am I'm tired, if I remember any more stuff I'll post
later on.  If this comes out incoherent or messy I'm sorry.

-Stan Bubrouski

complaints, comments, gripes, I hate/love you's
to: satan () fastdial net
(stan + a = satan)