Re: dqs 3.2.7 local root exploit.

[Roman Drahtmueller <draht () suse de>]

> DESCRIPTION:
> I found a buffer overflow vunerability on the
> /usr/bin/dsh (dqs 3.2.7
> package).
>
> I really don't know if this bug was discovered
> already. if thats right,
> then sorry =).

No, this is yet unknown to security () suse de.

> If a long line on the first argument is gived, the
> program gives a SIGSEGV
> signal.
>
> This bug was reported to Drake Diedrich, Mantainer
> for dqs
> (Drake.Diedrich () anu edu adu).
>
> AFFECTED:
> SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
> an then it are vunerable,
> maybe others.

I confirm this vulnerability and that dqs has the setuid bit on the file
/usr/bin/dsh, but the package (as a package in the clustering series) is
not installed by default.

The fix (to remove the suid bit) is correct. If you have selected to set
the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in
SuSE-7.1 (recommended for security-enhanced settings), you are not
vulnerable. On SuSE-7.1, in addition to the chmod command below, change
the files /etc/permissions.*, too, to reflect the removed suid bit.

If you do not need the dqs package, simply remove it using the command
  rpm -e dqs

Of course, we will provide update packages as soon as possible.

> FIX:
> Remove the SUID permission
> |root@netdex /root|# ls -la /usr/bin/dsh
> -rwsr-xr-x    1 root     root       502748 May 18
> 00:36 /usr/bin/dsh
> |root@netdex /root|# chmod -s /usr/bin/dsh
> |root@netdex /root|# ls -la /usr/bin/dsh
> -rwxr-xr-x    1 root     root       502748 May 18

Regards,
Roman Drahtmüller,
SuSE Security.
-- 
 -                                                                    -
| Roman Drahtmüller <draht () suse de>     "Caution: Cape does not        |
  SuSE GmbH - Security                  enable user to fly."
| Nürnberg, Germany                     (Batman Costume warning label) |
 -                                                                    -