Bugtraq mailing list archives
FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo
From: security-officer () FREEBSD ORG (FreeBSD Security Officer)
Date: Tue, 9 May 2000 12:20:49 -0700
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:17 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in libmytinfo may yield increased privileges with third-party software. Category: core Module: libmytinfo Announced: 2000-05-09 Affects: FreeBSD 3.x before the correction date. Corrected: 2000-04-25 FreeBSD only: Yes Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch I. Background libmytinfo is part of ncurses, a text-mode display library. II. Problem Description libmytinfo allows users to specify an alternate termcap file or entry via the TERMCAP environment variable, however this is not handled securely and contains a overflowable buffer inside the library. This is a security vulnerability for binaries which are linked against libmytinfo and which are setuid or setgid (i.e. run with elevated privileges). It may also be a vulnerability in other more obscure situations where a user can exert control over the environment with which an ncurses binary is run by another user. FreeBSD 3.x and earlier versions use a very old, customized version of ncurses which is difficult to update without breaking backwards-compatibility. The update was made for FreeBSD 4.0, but it is unlikely that 3.x will be updated. However, the ncurses source is currently being audited for further vulnerabilities. III. Impact Certain setuid/setgid third-party software (including FreeBSD ports/packages) may be vulnerable to a local exploit yielding privileged resources, such as network sockets, privileged filesystem access, or outright privileged shell access (including root access). No program in the FreeBSD base system is believed to be vulnerable to the bug. FreeBSD 4.0 and above are NOT vulnerable to this problem. IV. Workaround Remove any setuid or setgid binary which is linked against libmytinfo (including statically linked), or remove set[ug]id privileges from the file as appropriate. The following instructions will identify the binaries installed on the system which are candidates for removal or removal of file permissions. Since there may be other as yet undiscovered vulnerabilities in libmytinfo it may be wise to perform this audit regardless of whether or not you upgrade your system as described in section V below. In particular, see the note regarding static linking in section V. Of course, it is possible that some of the identified files may be required for the correct operation of your local system, in which case there is no clear workaround except for limiting the set of users who may run the binaries, by an appropriate use of user groups and removing the "o+x" file permission bit. 1) Download the 'libfind.sh' script from ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh e.g. with the fetch(1) command: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh Receiving libfind.sh (460 bytes): 100% 460 bytes transferred in 0.0 seconds (394.69 Kbytes/s) # 2) Verify the md5 checksum and compare to the value below: # /sbin/md5 libfind.sh MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b 3) Run the libfind script against your system: # sh libfind.sh / This will scan your entire system for setuid or setgid binaries which are linked against libmytinfo. Each returned binary should be examined (e.g. with 'ls -l' and/or other tools) to determine what security risk it poses to your local environment, e.g. whether it can be run by arbitrary local users who may be able to exploit it to gain privileges. 4) Remove the binaries, or reduce their file permissions, as appropriate. V. Solution Upgrade your FreeBSD 3.x system to 3.4-STABLE after the correction date, or patch your present system source code and rebuild. Then run the libfind script as instructed in section IV and identify any statically-linked binaries (those reported as "STATIC" by the libfind script). These should either be removed, recompiled, or have privileges restricted to secure them against this vulnerability (since statically-linked binaries will not be affected by recompiling the shared libmytinfo library). To patch your present system: save the patch below into a file, and execute the following commands as root: cd /usr/src/lib/libmytinfo patch < /path/to/patch/file make all make install Patches for 3.x systems before the resolution date: Index: findterm.c =================================================================== RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v retrieving revision 1.3 diff -u -r1.3 findterm.c --- findterm.c 1997/08/13 01:21:36 1.3 +++ findterm.c 2000/04/25 16:58:19 @@ -242,7 +242,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ':') + while(*s != '\0' && *s != ':' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { @@ -259,7 +259,7 @@ } else { s = path->file; d = buf; - while(*s != '\0' && *s != ',') + while(*s != '\0' && *s != ',' && d - buf < MAX_LINE - 1) *d++ = *s++; *d = '\0'; if (_tmatch(buf, name)) { -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBORc3NFUuHi5z0oilAQGcaAP6Ar4+mNTHR/qXUJ+MFIVy+AQHFDwpYq5f KgBpCRzgKVZs/zfsQ+LwC1vCHzusftTK0lEd//2pfGZHt3ln0eD1s6qt+Q6+ZJBE MYYiXvqoBL1ob2Ahts6uEUs/vbMb4bCbEmMCn4ad2iU+neKH9a81Lk3frIaJjAVK 8/6vW7wH9W4= =NDsR -----END PGP SIGNATURE-----
Current thread:
- Possible symlink problems with Netscape 4.73, (continued)
- Possible symlink problems with Netscape 4.73 foo (May 10)
- SSH Authentication Vulnerability John P. McNeely (May 10)
- Re: [cert] SSH Authentication Vulnerability Ignacio Kadel-Garcia (May 11)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 10)
- issues with free Perl CGI's (Re: Black Watch Labs...) Peter W (May 10)
- Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Frank van Vliet (May 10)
- Re: Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Todd C. Miller (May 10)
- NetStructure 7110 console backdoor Brian Oblivion (May 09)
- NetStructure 7180 remote backdoor vulnerability Brian Oblivion (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:18.gnapster FreeBSD Security Officer (May 09)
- Self-Replication Using Gnutella Seth McGann (May 09)
- ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator Mitja Kolsek (May 10)