---------- Forwarded message ----------
Date: Fri, 29 May 1998 02:29:50 +0200 (CEST)
From: Andrea Arcangeli <[EMAIL PROTECTED]>
Subject: ALERT: Tiresome security hole in "xosview", RedHat5.1? (fwd)
Vi faccio notare questa email su bugtraq che mi e' arrivata da pochi
minuti scritta da Chris un Linux kernel developer che conosco da
linux-kernel.
Il problema di RH5.1 e xosview non c' e' su Debian 2.0 e Debian ha gia'
tutte le Xlib fissate contro l' ultimo bug che permette di deventare root
e l' ultimo samba fissato per altri bug che teoricamente avrebbero
permesso di diventare root da piu' di una settiamana (mentre Chris fa
notare che gli rpm Red-Hat non sono ancora arrivati).
Ciao!
Andrea[s] Arcangeli
[translation: I bring to your attention this email from bugtraq I got a few
minutes ago written by Chris, a Linux kernel developer I know fro
linux-kernel.
The problem in RH5.1 of xosview isn't there in Debian 2.0 and Debian already
has all xlibs fixed against the latest bug that allow becoming root and the
last samba fixed for other bugs that could theoretically allow to become
root since more than a week (while Chris notes that fixed rpms still aren't
available]
---------- Forwarded message ----------
Date: Thu, 28 May 1998 04:49:17 +0100
From: Chris Evans <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: ALERT: Tiresome security hole in "xosview", RedHat5.1?
Hi,
I am bemused.
After some security auditing on RH5.0, I was curious as to what new suid
binaries and daemons shipped with RH5.1. The first one I noticed was
"xosview". God knows why it needs to be SUID; it probably doesn't but the
makefile just makes the binary suid by default. Linux has /proc which has
enough information that ferreting around in /dev/kmem using root privs
isn't required.
Or perhaps it needs to be suid root for the network load? By the way this
didn't work regardless.
Anyway. I ran the following highly complicated and time-consuming command
on the xosview sources:
grep strcpy *.cc
Tricky one eh? Perhaps vaguely sensible when shipping a new SUID binary,
i.e. REDHAT THINK!!!!!!
Results of grep include, in Xrm.cc
char userrfilename[1024];
strcpy(userrfilename, getenv("HOME"));
Ohhh that's nice. Hey but wait that can't be dangerous. The author clearly
knew what he/she was doing:
char className[256];
strncpy(className, name, 255); // Avoid evil people out there...
Appears later. I found this amusing.
Anyway I hope it's apparent this is exploitable. xosview doesn't appear to
drop privs.
Also, that is _by no means the only vulnerable section of code_, just the
stupidest bit.
Temp. (and probably permanent) solution: "chmod u-s `which xosview`.
Anyway well done RedHat for "blunder of the week".
Still fuming,
Chris
PS. Whilst you're at it RedHat, fix the X libraries (new security holes
just found) as well as dhcpd (remote root, well documented), glibc env
vars (linux-security documented), and upgrade samba to 1.9.18p7 in an
update rpm.
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
