Re: rh 6.2 - gid compromises, etc

[satan () FASTDIAL NET (Stan Bubrouski)]

Couple things I forget to say but should have:

#1
The slrnpull overflow in NNTPSERVER is harmless
in RedHat 6.2 because it's permissions are

[root@king srpms]# l /usr/bin/slrnpull
-rwxr-s--- 1 news news  50684 Jun 10 18:39 /usr/bin/slrnpull

Regular users cannot execute slrnpull therefore there
is no vulnerability in that regard, though as I stated
before there other problems in the slrnpull code when
it downloads/spools groups.

#2
slocate.  I'm not sure what you meant by:

> - slocate - custom input file can be specified using 
LOCATE_PATH;
>            due to almost no input validation, it's 
possible to
>            supply many different input patterns, some of 
them will
>            cause potentially exploitable SEGVs; please 
review this
>            code. Ah, forgotten, gid slocate can be used to
>            access slocate database in unrestricted mode 
(every
>            file in filesystem indexed, including eg. 
/root,
>            web scripts etc),

Yes slocate is sgid slocate and slocate database does
contain all files in the filesystem BUT it does consider
permissions when outputting location of files for instance:

As root:
[root@king /]# locate nt_hash
/root/nt_hash.txt
[root@king /]# ls -ald /root 
drwxr-x---   55 root     root      4096 Jun 22 01:59 /root
[root@king /]# l -d /root/nt_hash.txt
-rw-r--r-- 1 root root  16379 Jun 12  1999 /root/nt_hash.txt
[root@king /]# locate nt_hash
/root/nt_hash.txt
[root@king /]#

Ok root can view files in /root, but now try as regular
user:

[user@king beta]$ ls -al /root
ls: /root: Permission denied
[user@king beta]$ locate nt_hash
[user@king beta]$ 

As you can see it will not list all files to regular users, 
it obeys permissions.  The above example is from a default
Red Hat install.

Secondly you claim that LOCATE_PATH is not properly parsed?
It is parsed using parse_decode_path() the same function
that parses input from the command line.  Secondly you claim
this variable can be used to cause segfaults and gain
privilages?  That doesn't seem true to me.  In fact look
these lines and judge for yourself:

   UID = getuid();
   GID = getgid();
   
   parse_decode_path(SLOCATEDB);
   parse_decode_path(getenv("LOCATE_PATH"));

Those lines of code are run before any other command line
options etc, are checked and because privs are dropped at
this point I don't see how you can say anything can be
exploited to gain privilages of slocate group.  Can you
clarify?  Also there is consistant bounds-checking/mallocing
throughout the source and I did a quick scan of relevent
code and didn't see anything potentially dangerous.  The
only thing I did notice is that if argv[0] is simply a 
slash (/) and no other arguments are sent to the program
it will cause a for loop to continuously print " " to the
screen, and that in itself poses no probs.  Only crashes I
could cause were in malloc functions and they all seemed
harmless.  If you disagree I'd love some details, I have
plenty of free time ;-)

-Stan Bubrouski

comments, complaints, gripes, insults, compliments,
blackmail threats, unkind/kind remarks to:
satan () fastdial net