Bugtraq mailing list archives
Re: rh 6.2 - gid compromises, etc
From: satan () FASTDIAL NET (Stan Bubrouski)
Date: Fri, 23 Jun 2000 04:30:35 -0000
Couple things I forget to say but should have: #1 The slrnpull overflow in NNTPSERVER is harmless in RedHat 6.2 because it's permissions are [root@king srpms]# l /usr/bin/slrnpull -rwxr-s--- 1 news news 50684 Jun 10 18:39 /usr/bin/slrnpull Regular users cannot execute slrnpull therefore there is no vulnerability in that regard, though as I stated before there other problems in the slrnpull code when it downloads/spools groups. #2 slocate. I'm not sure what you meant by:
- slocate - custom input file can be specified using
LOCATE_PATH;
due to almost no input validation, it's
possible to
supply many different input patterns, some of
them will
cause potentially exploitable SEGVs; please
review this
code. Ah, forgotten, gid slocate can be used to access slocate database in unrestricted mode
(every
file in filesystem indexed, including eg.
/root,
web scripts etc),
Yes slocate is sgid slocate and slocate database does contain all files in the filesystem BUT it does consider permissions when outputting location of files for instance: As root: [root@king /]# locate nt_hash /root/nt_hash.txt [root@king /]# ls -ald /root drwxr-x--- 55 root root 4096 Jun 22 01:59 /root [root@king /]# l -d /root/nt_hash.txt -rw-r--r-- 1 root root 16379 Jun 12 1999 /root/nt_hash.txt [root@king /]# locate nt_hash /root/nt_hash.txt [root@king /]# Ok root can view files in /root, but now try as regular user: [user@king beta]$ ls -al /root ls: /root: Permission denied [user@king beta]$ locate nt_hash [user@king beta]$ As you can see it will not list all files to regular users, it obeys permissions. The above example is from a default Red Hat install. Secondly you claim that LOCATE_PATH is not properly parsed? It is parsed using parse_decode_path() the same function that parses input from the command line. Secondly you claim this variable can be used to cause segfaults and gain privilages? That doesn't seem true to me. In fact look these lines and judge for yourself: UID = getuid(); GID = getgid(); parse_decode_path(SLOCATEDB); parse_decode_path(getenv("LOCATE_PATH")); Those lines of code are run before any other command line options etc, are checked and because privs are dropped at this point I don't see how you can say anything can be exploited to gain privilages of slocate group. Can you clarify? Also there is consistant bounds-checking/mallocing throughout the source and I did a quick scan of relevent code and didn't see anything potentially dangerous. The only thing I did notice is that if argv[0] is simply a slash (/) and no other arguments are sent to the program it will cause a for loop to continuously print " " to the screen, and that in itself poses no probs. Only crashes I could cause were in malloc functions and they all seemed harmless. If you disagree I'd love some details, I have plenty of free time ;-) -Stan Bubrouski comments, complaints, gripes, insults, compliments, blackmail threats, unkind/kind remarks to: satan () fastdial net
Current thread:
- Immunix OS 6.2 (StackGuarded Red Hat 6.2), (continued)
- Immunix OS 6.2 (StackGuarded Red Hat 6.2) Crispin Cowan (Jun 21)
- Warning regarding new kernel RPMs Joseph V Moss (Jun 21)
- Re: Warning regarding new kernel RPMs Dave Walter (Jun 22)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Stan Bubrouski (Jun 21)
- Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Wietse Venema (Jun 23)
- Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
- Allaire Security Bulletin (ASB00-15)- Workaround available for vu lnerabilities exposed by JRun 2.3.x code sample Jesse Noller (Jun 22)
- [RHSA-2000:038-01] Zope update bugzilla () REDHAT COM (Jun 22)
- FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options FreeBSD Security Advisories (Jun 22)
- Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options yeti (Jan 13)
- Re: rh 6.2 - gid compromises, etc Stan Bubrouski (Jun 22)
- [SECURITY] New Debian wu-ftpd packages released Daniel Jacobowitz (Jun 23)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Joey Maier (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Jim Knoble (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Andrea Costantino (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Philip Rowlands (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Helmethead (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Hugo.van.der.Kooij () CAIW NL (Jun 29)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD Security (Jun 23)
- Security Update: wu-ftpd vulnerability Technical Support (Jun 23)