Bugtraq mailing list archives
Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]]
From: satan () FASTDIAL NET (Satan)
Date: Fri, 23 Jun 2000 16:33:33 -0400
Frank da Cruz wrote:
Ya know the sad thing is I pointed out these problems in bugzilla posts the gkermit being sgid uucp I reported two+ weeks ago. No response. My description of the gkermit bug which I reported couple weeks ago can be found here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11870Hi all. I'm the author of gkermit, and this is the first I've heard of any of this (your message was forwarded to me by somebody who saw it on a mailing list). The author / support contact address is listed in the usage message and the man page; as a matter of courtesy, it should be included in bug reports. So who said gkermit should be installed suid or sgid? It shouldn't. It does not need privileges for anything. The documetantion says so:
Nobody that's why I only reported this to Red Hat. According to the changelogs in the RPMs for gkermit and C-Kermit it was people at Red Hat who adde the sgid bit and that is why I only reported the problem to them because it seemed obvious that they should not have been set sgid. That's all. If I thought that this was a problem with a larger scope than just Red Hat I would have reported it to you, but as it was the problem was not with your code so much as with Red Hat making them sgid uucp I chose not to bug you with things you had no control over.
The makefile creates a binary called "gkermit". Simply move this binary to the desired directory, such as /usr/local/bin. It needs no special permissions other than read, write, and execute for the desired users and groups: no setuid, no setgid, or any other form of privilege. This is from: http://www.columbia.edu/kermit/gkermit.htmlThe C-Kermit package that comes on the Powertools CD with Red Hat 6.2 is installed sgid uucp as well and contains a plethera of unchecked buffers than can be used to run commands as gid uucp. Details can be found here: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723This one is news too and, again, I'd appreciate receiving reports like this. Of course I'll follow up on it. There might be a couple unchecked buffers, but there is not a plethora of them. A great deal of effort has gone into pre-checking buffer copy operations, and if some places were missed they can be fixed.
Reading the C-Kermit code is in my opinion disorganized and very messy. Regardless of whether you agree with this or not, it appears to me the code is very old and needs alot of work. I know you and others have put much time into modernizing, changing, and removing large chunks of unnecessary code from the sources in order to improve the security and overall integrity of the code. The fact remains however that the code is old and because of that much is still in need of extensive review. I'm not saying you guys aren't trying and I'm not saying you people on the C-Kermit project aren't improving it, all I'm saying is that there are alot of problems and thus I feel that it should not be made sgid on systems where users could try to take advantage of bugs/problems in it. I see a handful of unchecked buffers as I'm sitting here writing this so I'm still convinced much needs to be done before it is safe to make this program sgid. I'll try to make note of all of the ones I see when I have time and I'll attempt to fix the ones I can and send you diffs ok? Oh yeah and here are some numbers regarding function use: strcat 302 strncat 31 strcpy 477 strncpy 625 (includes ckstrncpy) sprintf 886 snprintf 0! vsprintf 5 vsnprintf 0 Now in all seriousness do you really think that most of those 886 sprintf calls have bounds-checking? Anyway, I was wondering why do you guys use no snprintf calls in your code? Just curious, I can definately see some places that would benefit from it. -Stan Bubrouski
Frank da Cruz The Kermit Project Columbia University 612 West 115th Street New York NY 10025-7799 USA Email: fdc () columbia edu Web: http://www.columbia.edu/kermit/
Current thread:
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gid compromises, etc [+ MORE!!!]] Frank da Cruz (Jun 23)
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Satan (Jun 23)