Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

rh 6.2 - gid compromises, etc

From: lcamtuf () TPI PL (Michal Zalewski)
Date: Wed, 21 Jun 2000 12:54:08 +0200

Probably it's nothing exciting, but several packets supplied with RH 6.2
will allow <500 gid/uid compromises. On every system it HAS some kind of
meaning - sometimes just a little (exceeding quotas, hiding from
accounting, anonymous intrusions to other systems) - but sometimes
compromised uucp or news privledges might be used to intercept/modify/deny
important traffic on server itself.

IMHO, it's good to minimalise number of setuid root applications in
system. But moving to setgids won't solve anything. Of course, you might
avoid root security compromise, but uid/gid 'news' gained on newsserver,
'http' or 'nobody' gained on webserver or 'uucp' gained on UUCP machine
is not the thing that should happen.

I checked about 15 setgid applications from RH 6.2, performing some basic
tests - environment parsing, privledges dropping and input validation. And
it looks bad:

- slrnpull (setgid: news) - using eg. NNTPSERVER environmental variable,
  you can cause nice SEGV... egid==news, of course. On systems running
  innd server (and probably other newsservers as well), group 'news' can
  be used to control content of whole spool, and to elevate privledges,
  gaining euid news. From this point, we can simply takeover nntp
  service.

  Under some conditions, inews can be used in the same way, but bug
  is hidden a little bit deeper. I'll leave it as an exercise to
  readers (and maintainers - please audit your code, not only fix
  published bugs),

- gkermit - can read/write/append files with egid==uucp; these file
            include many /dev/ entries, /etc/uucp/passwd etc; can
            be dangerous on systems running uucp.

- slocate - custom input file can be specified using LOCATE_PATH;
            due to almost no input validation, it's possible to
            supply many different input patterns, some of them will
            cause potentially exploitable SEGVs; please review this
            code. Ah, forgotten, gid slocate can be used to
            access slocate database in unrestricted mode (every
            file in filesystem indexed, including eg. /root,
            web scripts etc),

Also, I'm still surprised with number of world-writable files/directories
shipped with every RH installation. It is difficult to perform something
like:

# find / -perm -2 \! -type l -exec ls -ld {} \;

? People are very often setting up /tmp on separate partitions, with eg.
nosuid option, the same about /home, but most of them are missing _a_lot_
of these directories (some of them are even setuid, huh).

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Previous By Date Next
Previous By Thread Next

Current thread: