Bugtraq mailing list archives
Re: rh 6.2 - gid compromises, etc [+ MORE!!!]
From: satan () FASTDIAL NET (Stan Bubrouski)
Date: Thu, 22 Jun 2000 06:40:42 -0000
Ya know the sad thing is I pointed out these problems in bugzilla posts the gkermit being sgid uucp I reported two+ weeks ago. No response. My description of the gkermit bug which I reported couple weeks ago can be found here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11870 The slrn problem I attempted to fix around three weeks ago, I submitted a patch to the maintainer, no response however. On June 20th I reported the slrn problems on bugzilla and submitted a rough patch to fix a few problems including the slrnpull one along with potential remote overflows if group names excede certain lengths. Check out my bugzilla post for more detailed info and usable patch: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=12750 While we're on the subject, I might as well mention a couple other things I've posted to red hat's bugzilla in the past few weeks/months that haven't trickled there way into here yet. The C-Kermit package that comes on the Powertools CD with Red Hat 6.2 is installed sgid uucp as well and contains a plethera of unchecked buffers than can be used to run commands as gid uucp. Details can be found here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723 Another package that shipped with Red Hat 6.2 that has some trouble is diskcheck. Diskcheck is a program that run hourly by cron that creates an e-mail message in /tmp with a warning about drives over 90% full, and if a drive is 90% full it sends the message. Unfortunately the name is too predictable and because the file is created hourly regardless of how much disk space is left there is a race condition that allows any file on any mounted filesystem to be overwritten. This is fixed in latest rawhide release. Details can be found here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723 The Mgetty-sendfax package has a symlink problem as well. When faxrunqd is run it creates a file named .last_run in the world-writable /var/spool/fax/outgoing directory and wouldn't you know it follows symlinks and gladly smashes any file you feel like smashing. More details can be found at: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11874 More about mentioned kerberos problems. A while ago I reported a DoS in ksu to the kerberos team, and I'm assuming it is now fixed because it did appear in the CERT advisory I think, either way here's a clear picture of how to exploit it: # doexec ksu `perl -e'print "A" x 100000;'` that's it. If ksu is suid on your system (this was tested only krb5-1.1.1) then you may be vulnerable. When using the packages provided with redhat linux 6.2 the above froze my machine and even sysreq keys to sync drives and unmount do not work. More details: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11107 Want more? I've got more!!! Gnome uses eSound for sound stuff, at least newest versions do, anyway, the eSound library creates a directory in /tmp named .esd which is of course Mode: (0777/drwxrwxrwx) and creates a socket named socket in /tmp/.esd and keep in mind this occurs each time gnome is run. So what's the problem? If /tmp/.esd is a symlink, esound will gladly create socket wherever the symlink points to like / or /etc/cron.daily or any other place your creative mind can come up with. Could be a problem if it is created where another program looks for a socket named socket as well. Nifty eh? Yeah I know not really. Want even MOOOOOORE? Ok...on to the famed imapd (by famed I refer to its lack of security and maintainers carefree attitude towards NOT using bounds-checking though this problem is unrelated.) I found a remote DoS against imapd that can be done by regular mail users. Here's a session: * OK linux.local IMAP4rev1 v12.264 server ready x login sb testpass x OK LOGIN completed x list "" /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* /* [I diconnected without logging out] Because imap can take literally hours to process long queries like that the session continues even after I disconnect. root console on linux *45* minutes later!!!: [root@linux /root]# ps aux | grep imapd sb 1213 92.0 2.7 2740 1256 ? R 17:56 45:06 imapd On my machine, after 30 of those processes were running this is what I got when I tried to connect to my imapd: [root@king /root]# telnet linux 143 Trying 192.168.0.3... telnet: Unable to connect to remote host: Connection refused imapd refuses to accept connections and thus the DoS is affective. I reported this to redhat 2 months ago and no response to my post so for details and cheesy exploit check out: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11052 Ok now want some final food for thought? Netscape Communicator and Navigator security preferences are really just simple html forms that get submitted to an internal parser. What nobody seems to recognize is that there is nothing preventing a webpage from including such a form that when submitted could change a user's security preferences. If all the correct fields are not present on one of these forms netscape will crash 100% of the time when a form is submitted to it's internal parser so in the very least it gives fresh new series of DoS attacks against netscape browsers on ALL platforms, windows and unix/linux alike. More details here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11725 Minor probs: top program that ships with redhat has some buffer overflows most notably huge HOME variable will crash it upon startup. No harm since it's not suid or sgid. tcp_wrappers has buffer overflow when argv[0] is big and may have another potential overflow (would be more serious) in code dealing with hosts and users more info plus crappy patches can be found at: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11881 It's 3am I'm tired, if I remember any more stuff I'll post later on. If this comes out incoherent or messy I'm sorry. -Stan Bubrouski complaints, comments, gripes, I hate/love you's to: satan () fastdial net (stan + a = satan)
Current thread:
- Re: NAI WebShield SMTP does not scan base64 encoding, (continued)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Juancho Forlanda (Jun 20)
- BEA WebLogic /file/ showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 20)
- Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Mike DeMaria (Jun 21)
- Re: NAI WebShield SMTP does not scan base64 encoding Sato, Ken (Jun 20)
- Microsoft Security Bulletin MS00-038 Update Microsoft Product Security (Jun 20)
- rh 6.2 - gid compromises, etc Michal Zalewski (Jun 21)
- Immunix OS 6.2 (StackGuarded Red Hat 6.2) Crispin Cowan (Jun 21)
- Warning regarding new kernel RPMs Joseph V Moss (Jun 21)
- Re: Warning regarding new kernel RPMs Dave Walter (Jun 22)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Stan Bubrouski (Jun 21)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Wietse Venema (Jun 23)
- Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
- Allaire Security Bulletin (ASB00-15)- Workaround available for vu lnerabilities exposed by JRun 2.3.x code sample Jesse Noller (Jun 22)
- [RHSA-2000:038-01] Zope update bugzilla () REDHAT COM (Jun 22)
- FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options FreeBSD Security Advisories (Jun 22)
- Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options yeti (Jan 13)
- Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
- [SECURITY] New Debian wu-ftpd packages released Daniel Jacobowitz (Jun 23)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Joey Maier (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Jim Knoble (Jun 29)