Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Re: Several FreeBSD-3.3 vulnerabilities]
From: btellier () USA NET (Brock Tellier)
Date: Wed, 1 Dec 1999 13:21:44 MST


Kris Kennaway <kris () hub freebsd org> wrote:
On Tue, 30 Nov 1999, Brock Tellier wrote:

All of the vulnerabilities discussed herein are based on my work on
FreeBSD 3.3-RELEASE. Each of the programs was installed with the
default permissions given when unpacked with sysinstall. 
These permissions are:
-rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon

This one was fixed a month ago after your last advisory. Obviously, if
you're still using the same version of the OS you used in your initial
advisory, it's not going to be fixed :-)

No, I mentioned that older hole but I also revealed six more that were equally
serious and presumably unpatched.  Unless your fix was to remove the suid-bit
by default, seyon would still be vulnerable.

-rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath

This one is a hole in the vendor-provided software, which wants to >install
it setuid uucp by default. With ~2800 third-party apps shipped with
FreeBSD, we can't be held responsible for the security of all of them :-)

This is the statement I have a bit of a problem with.  Sure there are 2800
ports, but how many of these are suid/sgid?  I'm thinking *maybe* 50 that I
saw when I did a full install of 3.3-RELEASE.  Fifty apps, most of which are
small like xmindpath, isn't a ridiculous number to audit.  At LEAST auditing
them for command-line overflows and setting up a /tmp watcher.  
You may not be legally responsible, or be able to take responsibility for the
quality of the code, but when you allow a third-party to put a *suid* program
into your distribution you imply some sort of trust with the end-user
regarding it's security integrity.  At least to the point that we can assume
that someone has taken the time to xmindpath -arg $BUF.  Note that this isn't
specifically directed at FreeBSD or free OS's.

-r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband

This one is our fault (in the sense that installing it setgid games so it
can write a high score file is not something the software does by
default).

Your advisory wasn't clear whether or not you contacted the port
maintainers directly about these, and they were just slow off the mark, >or
if it was just security-officer () freebsd org  Assuming the former, one way
of expediting the process would be to send mail to the (new)
audit () freebsd org mailing list which has several people who will be quite
happy to do some butt-kicking to get a response :-)

No, I contacted security-officer () freebsd org who responded that HE had
contacted the maintainers.  That was the last I ever heard of it.  

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]