Bugtraq mailing list archives
Re: dqs 3.2.7 local root exploit.
From: Roman Drahtmueller <draht () suse de>
Date: Sat, 19 May 2001 05:26:40 +0200 (MEST)
DESCRIPTION: I found a buffer overflow vunerability on the /usr/bin/dsh (dqs 3.2.7 package). I really don't know if this bug was discovered already. if thats right, then sorry =).
No, this is yet unknown to security () suse de.
If a long line on the first argument is gived, the program gives a SIGSEGV signal. This bug was reported to Drake Diedrich, Mantainer for dqs (Drake.Diedrich () anu edu adu). AFFECTED: SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default an then it are vunerable, maybe others.
I confirm this vulnerability and that dqs has the setuid bit on the file /usr/bin/dsh, but the package (as a package in the clustering series) is not installed by default. The fix (to remove the suid bit) is correct. If you have selected to set the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in SuSE-7.1 (recommended for security-enhanced settings), you are not vulnerable. On SuSE-7.1, in addition to the chmod command below, change the files /etc/permissions.*, too, to reflect the removed suid bit. If you do not need the dqs package, simply remove it using the command rpm -e dqs Of course, we will provide update packages as soon as possible.
FIX: Remove the SUID permission |root@netdex /root|# ls -la /usr/bin/dsh -rwsr-xr-x 1 root root 502748 May 18 00:36 /usr/bin/dsh |root@netdex /root|# chmod -s /usr/bin/dsh |root@netdex /root|# ls -la /usr/bin/dsh -rwxr-xr-x 1 root root 502748 May 18
Regards, Roman Drahtmüller, SuSE Security. -- - - | Roman Drahtmüller <draht () suse de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
Current thread:
- dqs 3.2.7 local root exploit. dex dex (May 18)
- Re: dqs 3.2.7 local root exploit. Roman Drahtmueller (May 19)
- Re: dqs 3.2.7 local root exploit. Drake Diedrich (May 19)