Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: pmpost - another nice symlink follower
From: Roman Drahtmueller <draht () suse de>
Date: Tue, 19 Jun 2001 08:27:57 +0200 (MEST)

Hi Paul,

From: Paul Starzetz <paul () starzetz de>
To: "bugtraq () securityfocus com" <bugtraq () securityfocus com>
Date: Mon, 18 Jun 2001 19:11:20 +0200
Subject: pmpost - another nice symlink follower

Hi,

there is a symlink handling problem in the pcp suite from SGI. The
binary pmpost will follow symlinks, if setuid root this leads to instant
root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
package, though).

Attached a simple C source to demonstrate this (gcc pm.c -o pm  then
./pm)

If you like, you can send me your phone number and I will call you during
the day to privately discuss things like vendor notification. Key for
encryption is appended.


The pmpost binary is contained in the package "pcp", as shipped with the
distributions SuSE-7.0, 7.1 and 7.2.

In the distribution 7.0, /usr/share/pcp/bin/pmpost is not installed setuid
root. In 7.1 and 7.2, pmpost _is_ setuid root and therefore exploitable.

The pcp package is not installed by default in any of the distributions.

As a temporary and permanent workaround, remove the setuid bits from the
two programs /usr/share/pcp/bin/pmpost and /usr/share/pcp/bin/pmkstat by
using the following command (as root):
  chmod a-s /usr/share/pcp/bin/*
A change to /etc/permissions* is not necessary because the two binaries
are not listed there. Users of the package might want to change ownerships
to make the functionality of the pmpost program available again.
Alternatively, users may want to delete the package if it is not used:
  rpm --nodeps -e pcp
There will be update packages on the ftp server shortly that have exactly
this "fix" applied.

Further details:

The source in src/libpcp/src/config.c reads
            if ((p = getenv(var)) != NULL)
                val = p;
 for configuration items from /etc/pcp.conf and therefore trusts user
input/environment. The same applies for the environment variable PCP_CONF
that specifies the configuration file. This attitude towards treating user
input does not qualify for privileged execution. The actual open(2) call
in src/pmpost/pmpost.c (near "umask(022); /* is this just paranoid? */)
can't be fixed without completely ignoring the user-supplied environment
since open(2) can't guarantee that a path segment leading to the file is
not a symlink.

Thanks,
Roman Drahtmüller,
SuSE Security.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GZkBogQ6PkmGEQQArE12Iaqt
f+wQjaoH5EeZ4ZdyQFXAvb5tZJ43I2jXprLZvtHAsf2zHDWemjaSCPBsOU27pzP2
+DxD10d7Ig1Zvqx2AIuZ28GKsdMThIHmDB6UYlzrWu94Y7I2eafcT5Qo3evUDG0T
NRlFK1ZUeMpvsOdLxyNTSkq5Ngs5wF6JaksAoNMBk58wBX14qt3AjMeEQ2FE/jBL
A/43uC4QaQw0Qq5/6fgqw3LavuTfbkNZfs0fFGeuzByuhZaAvC199iQszS9K2aIX
lZ63LNtP/dmFOW02X8CpB+1xnizjDlNkhhw5iRzNFuuwfN7HxmYhEFkz1pze0vwg
7VZIQTlDYWqaXHtpwW346H8bPS3bF+cLoL7yxtzKeGCWxgP/a4rr9q9Hz8s1D7RD
dNmorkNvWV3CWjiPaNcw6pLuYH0N3f7L+mad/2DBHn0kclX569rKN9aScHOWuQoA
zrFjJmw0pSLKXrV9Iyo5qSIy8cBzOU9LSdZ5794hW5Jz5Ydqqp0gbUaVSCyzA0v8
gJNnGscYzA9VWkFI0d5KhLIRtKW0IlJvbWFuIERyYWh0bXVlbGxlciA8ZHJhaHRA
c3VzZS5kZT6IVwQTEQIAFwUCOj5JhgULBwoDBAMVAwIDFgIBAheAAAoJEJ5A4xAA
Cqukv9MAoLVnjtaHIejgC5r473/QNtU3FEysAJ4hz1dxV54icImNEvoZ0dcFJEro
0YhGBBARAgAGBQI6Pk5GAAoJEMZi4eocmHdOZ1UAoK7iTgth6GndgbYQSnu4nUoz
6CUHAJ9+IxOfKT+GoISQ2oRBeTiG9a3Jt4hGBBARAgAGBQI7Hf1VAAoJEMdSqjKw
3/eAcVwAoIAK4ctu9+EsUmBKyb0JTB8I2BR/AJ49sFNK9bZMh4C7rY/AP6P6w1YW
UIkBFQMFEDseX7x3suYAPSXT2QEBufkH/3l46NEp/Rd+8wsElBuXdcH6sq6fxrp5
WEnPnZf6WjdmPp/ltdt99jBEvN0Ail3Dj4sbKdMJZoSVRjYop6G72WCc3+N4JK3w
3nuRSD8VGRjZwh9JoqeI2f3y7EEFyAM60FMmOA7DdDm3vzVEy0PAWFn2Y1ozwS4M
dPeBoySz3jIyEsFhEqb4SDehbWeHvbWhRHzSM8g4jhByy0VkUt2/PAZSHwwqAgdf
6osKcuypxtPN9K3Yl98rJgMG2Z5i3c/pRf31cBbR/UmMdTBgtCeImdgyLXThygeV
FDh5ykAOh/QoAyXVXeez9Q88hKvTojdjM5ayZ2hBkUci2bctqJsUvCKIRgQQEQIA
BgUCOx5kdQAKCRB2ijSz6Eh6OTybAJ9oYaORzmV0a3XlBEmqW/d3JU6VrgCfS5hb
KEpgyO4Fd30HigVRFboLUUeIRgQQEQIABgUCOx5wsAAKCRD8o9aEVh9DsUScAJ4q
7DFM0xqOP7FMr/LhK0F0/Lz3uwCdFVpr14vXgFcdEBYyBJw2sjCS7s25AQ0EOj5J
iRAEAKDOLWP9f3BE1i32IPD0fzFJEEiDA/h5TzBrN1/JG/BCOq4WfATAU2/z0dvq
OqRd7Mu0fFEX9VC4ahCJrY881BjMC7hXr9AEJKtLHauRavzLjp80syJ7lyG25Ae8
9ZP9D7x88qaA7LGnnI4IChOI8LPqd66zWB6NzZLYN/JZaB0vAAMHA/9bbtmuy9MM
rx4gEi17uWRFsx8SDNgCdZrNWHqbxNY7L3gX0NWLAGcO5gR+80PN+kpqxbM+yu1Z
G/oqhNyx73hkxuGXSq5XE/L/bLn0EqQUmtQ3+iDDmVcxYpTM3HL800jIIBkSbCd/
WDymjENnW8zYpqszNocf1HLV/9Po2yr2ZohGBBgRAgAGBQI6PkmJAAoJEJ5A4xAA
CqukGAsAn3qRlEIQpNvBLdfa8/joYRy/L8ncAKC1zMtZh5BKBaI/nhhMLVRnjs/h
pA==
=KuAY
-----END PGP PUBLIC KEY BLOCK-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault