Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: dqs 3.2.7 local root exploit.
From: Roman Drahtmueller <draht () suse de>
Date: Sat, 19 May 2001 05:26:40 +0200 (MEST)

DESCRIPTION:
I found a buffer overflow vunerability on the
/usr/bin/dsh (dqs 3.2.7
package).

I really don't know if this bug was discovered
already. if thats right,
then sorry =).

No, this is yet unknown to security () suse de 

If a long line on the first argument is gived, the
program gives a SIGSEGV
signal.

This bug was reported to Drake Diedrich, Mantainer
for dqs
(Drake.Diedrich () anu edu adu).

AFFECTED:
SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
an then it are vunerable,
maybe others.

I confirm this vulnerability and that dqs has the setuid bit on the file
/usr/bin/dsh, but the package (as a package in the clustering series) is
not installed by default.

The fix (to remove the suid bit) is correct. If you have selected to set
the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in
SuSE-7.1 (recommended for security-enhanced settings), you are not
vulnerable. On SuSE-7.1, in addition to the chmod command below, change
the files /etc/permissions.*, too, to reflect the removed suid bit.

If you do not need the dqs package, simply remove it using the command
  rpm -e dqs

Of course, we will provide update packages as soon as possible.

FIX:
Remove the SUID permission
|root () netdex /root|# ls -la /usr/bin/dsh
-rwsr-xr-x    1 root     root       502748 May 18
00:36 /usr/bin/dsh
|root () netdex /root|# chmod -s /usr/bin/dsh
|root () netdex /root|# ls -la /usr/bin/dsh
-rwxr-xr-x    1 root     root       502748 May 18

Regards,
Roman Drahtmüller,
SuSE Security.
-- 
 -                                                                    -
| Roman Drahtmüller <draht () suse de>     "Caution: Cape does not        |
  SuSE GmbH - Security                  enable user to fly."
| Nürnberg, Germany                     (Batman Costume warning label) |
 -                                                                    -


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault