Home page logo

bugtraq logo Bugtraq mailing list archives

Re: dqs 3.2.7 local root exploit.
From: Roman Drahtmueller <draht () suse de>
Date: Sat, 19 May 2001 05:26:40 +0200 (MEST)

I found a buffer overflow vunerability on the
/usr/bin/dsh (dqs 3.2.7

I really don't know if this bug was discovered
already. if thats right,
then sorry =).

No, this is yet unknown to security () suse de 

If a long line on the first argument is gived, the
program gives a SIGSEGV

This bug was reported to Drake Diedrich, Mantainer
for dqs
(Drake.Diedrich () anu edu adu).

SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
an then it are vunerable,
maybe others.

I confirm this vulnerability and that dqs has the setuid bit on the file
/usr/bin/dsh, but the package (as a package in the clustering series) is
not installed by default.

The fix (to remove the suid bit) is correct. If you have selected to set
the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in
SuSE-7.1 (recommended for security-enhanced settings), you are not
vulnerable. On SuSE-7.1, in addition to the chmod command below, change
the files /etc/permissions.*, too, to reflect the removed suid bit.

If you do not need the dqs package, simply remove it using the command
  rpm -e dqs

Of course, we will provide update packages as soon as possible.

Remove the SUID permission
|root () netdex /root|# ls -la /usr/bin/dsh
-rwsr-xr-x    1 root     root       502748 May 18
00:36 /usr/bin/dsh
|root () netdex /root|# chmod -s /usr/bin/dsh
|root () netdex /root|# ls -la /usr/bin/dsh
-rwxr-xr-x    1 root     root       502748 May 18

Roman Drahtmüller,
SuSE Security.
 -                                                                    -
| Roman Drahtmüller <draht () suse de>     "Caution: Cape does not        |
  SuSE GmbH - Security                  enable user to fly."
| Nürnberg, Germany                     (Batman Costume warning label) |
 -                                                                    -

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]